Wednesday, December 18, 2024
HomeCyber Security NewsGoogle’s New XRefer Tool To Analyze More Complex Malware Samples

Google’s New XRefer Tool To Analyze More Complex Malware Samples

Published on

SIEM as a Service

XRefer, an IDA Pro plugin, enhances binary analysis with a persistent companion view by employing Gemini-powered cluster analysis to decompose binaries into functional units, providing high-level architectural overviews akin to viewing a city’s districts. 

Simultaneously, it offers a context-aware view that dynamically updates based on the analyst’s code location, which presents relevant artifacts from both the current function and related functions along the execution path, enabling efficient navigation and identification of critical code segments. 

Refer opened as a side pane, displaying Cluster Tables
Refer opened as a side pane, displaying Cluster Tables

It is a binary analysis tool that can automatically decompose a binary program into functional units (clusters) using static analysis, where each cluster is labelled with a descriptive name to show its functionality. 

- Advertisement - SIEM as a Service

By leveraging a large language model (LLM) named Gemini, it provides natural language descriptions of each cluster and how they relate to each other. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Users can navigate between clusters in a linear or graphical way to see the details of each cluster, including its member functions and their cross-references. 

It offers two approaches for clustering: including all analyzed paths or focusing on a subset filtered by artifacts (functionalities extracted from the binary) with the help of LLM. 

While the first approach is comprehensive, it may include irrelevant library clusters, and the second approach can be inconsistent due to the nature of LLMs but provides a cleaner view by filtering out noisy functions. 

Cluster Relationship graph view
Cluster Relationship graph view

A plugin for the IDA Pro disassembler enhances code analysis by providing context-aware navigation, which classifies functions based on their relationships (clusters) and prefixes their names for easier identification.  

A key feature is the function context table, which displays cluster membership, directly referenced artifacts (APIs, strings, etc.), and indirectly referenced artifacts reachable through execution paths. 

Peek View allows analysts to filter artifacts based on a selected function’s execution path, offering a glimpse of downstream functionality, which allows generating path graphs that visually represent all execution paths leading to a specific artifact. 

Showing side by side versions of an example normal path graph and its corresponding simplified path graph with 20% reduction
Showing side by side versions of an example normal path graph and its corresponding simplified path graph with 20% reduction

It is an IDA plugin that enhances binary analysis by providing cross-reference views, trace navigation, and artifact exclusion, which supports various artifact types, including function calls, strings, and API references. 

By leveraging a Large Language Model (LLM), it analyzes relationships between artifacts and generates semantic descriptions for code clusters, which achieves this by building execution paths between entry points and functions containing artifacts. 

It also supports language-specific analysis through modules, with a built-in Rust module for identification of library usage and basic function renaming.

XRefer settings dialog box
XRefer settings dialog box

According to Mandiant, XRefer’s initial release focuses on systematic code analysis, prioritizing accuracy over LLM-based summarization, which currently supports cluster analysis of code, providing high-level insights for analysts. 

Future development includes extending cluster analysis to encompass code submissions, researching path-independent clustering for speed improvements, implementing LLM-based cluster merging, ensuring support for non-Windows file formats, and adding support for Golang modules. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Latest articles

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one...

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one...