Thursday, April 3, 2025
HomeCyber Security NewsGoogle’s New XRefer Tool To Analyze More Complex Malware Samples

Google’s New XRefer Tool To Analyze More Complex Malware Samples

Published on

SIEM as a Service

Follow Us on Google News

XRefer, an IDA Pro plugin, enhances binary analysis with a persistent companion view by employing Gemini-powered cluster analysis to decompose binaries into functional units, providing high-level architectural overviews akin to viewing a city’s districts. 

Simultaneously, it offers a context-aware view that dynamically updates based on the analyst’s code location, which presents relevant artifacts from both the current function and related functions along the execution path, enabling efficient navigation and identification of critical code segments. 

Refer opened as a side pane, displaying Cluster Tables
Refer opened as a side pane, displaying Cluster Tables

It is a binary analysis tool that can automatically decompose a binary program into functional units (clusters) using static analysis, where each cluster is labelled with a descriptive name to show its functionality. 

By leveraging a large language model (LLM) named Gemini, it provides natural language descriptions of each cluster and how they relate to each other. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Users can navigate between clusters in a linear or graphical way to see the details of each cluster, including its member functions and their cross-references. 

It offers two approaches for clustering: including all analyzed paths or focusing on a subset filtered by artifacts (functionalities extracted from the binary) with the help of LLM. 

While the first approach is comprehensive, it may include irrelevant library clusters, and the second approach can be inconsistent due to the nature of LLMs but provides a cleaner view by filtering out noisy functions. 

Cluster Relationship graph view
Cluster Relationship graph view

A plugin for the IDA Pro disassembler enhances code analysis by providing context-aware navigation, which classifies functions based on their relationships (clusters) and prefixes their names for easier identification.  

A key feature is the function context table, which displays cluster membership, directly referenced artifacts (APIs, strings, etc.), and indirectly referenced artifacts reachable through execution paths. 

Peek View allows analysts to filter artifacts based on a selected function’s execution path, offering a glimpse of downstream functionality, which allows generating path graphs that visually represent all execution paths leading to a specific artifact. 

Showing side by side versions of an example normal path graph and its corresponding simplified path graph with 20% reduction
Showing side by side versions of an example normal path graph and its corresponding simplified path graph with 20% reduction

It is an IDA plugin that enhances binary analysis by providing cross-reference views, trace navigation, and artifact exclusion, which supports various artifact types, including function calls, strings, and API references. 

By leveraging a Large Language Model (LLM), it analyzes relationships between artifacts and generates semantic descriptions for code clusters, which achieves this by building execution paths between entry points and functions containing artifacts. 

It also supports language-specific analysis through modules, with a built-in Rust module for identification of library usage and basic function renaming.

XRefer settings dialog box
XRefer settings dialog box

According to Mandiant, XRefer’s initial release focuses on systematic code analysis, prioritizing accuracy over LLM-based summarization, which currently supports cluster analysis of code, providing high-level insights for analysts. 

Future development includes extending cluster analysis to encompass code submissions, researching path-independent clustering for speed improvements, implementing LLM-based cluster merging, ensuring support for non-Windows file formats, and adding support for Golang modules. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Cisco AnyConnect VPN Server Vulnerability Allows Attackers to Trigger DoS

Cisco has disclosed a significant vulnerability in its AnyConnect VPN Server for Meraki MX and Z...

New Trinda Malware Targets Android Devices by Replacing Phone Numbers During Calls

Kaspersky Lab has uncovered a new version of the Triada Trojan, a sophisticated malware...

DarkCloud Stealer Uses Weaponized .TAR Archives to Target Organizations and Steal Passwords

A recent cyberattack campaign leveraging the DarkCloud stealer has been identified, targeting Spanish companies...

SonicWall Firewall Vulnerability Enables Unauthorized Access

Researchers from Bishop Fox have successfully exploited CVE-2024-53704, an authentication bypass vulnerability that affects SonicWall...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cisco AnyConnect VPN Server Vulnerability Allows Attackers to Trigger DoS

Cisco has disclosed a significant vulnerability in its AnyConnect VPN Server for Meraki MX and Z...

New Trinda Malware Targets Android Devices by Replacing Phone Numbers During Calls

Kaspersky Lab has uncovered a new version of the Triada Trojan, a sophisticated malware...

DarkCloud Stealer Uses Weaponized .TAR Archives to Target Organizations and Steal Passwords

A recent cyberattack campaign leveraging the DarkCloud stealer has been identified, targeting Spanish companies...