Cyber Security News

Google’s New XRefer Tool To Analyze More Complex Malware Samples

XRefer, an IDA Pro plugin, enhances binary analysis with a persistent companion view by employing Gemini-powered cluster analysis to decompose binaries into functional units, providing high-level architectural overviews akin to viewing a city’s districts. 

Simultaneously, it offers a context-aware view that dynamically updates based on the analyst’s code location, which presents relevant artifacts from both the current function and related functions along the execution path, enabling efficient navigation and identification of critical code segments. 

Refer opened as a side pane, displaying Cluster Tables

It is a binary analysis tool that can automatically decompose a binary program into functional units (clusters) using static analysis, where each cluster is labelled with a descriptive name to show its functionality. 

By leveraging a large language model (LLM) named Gemini, it provides natural language descriptions of each cluster and how they relate to each other. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Users can navigate between clusters in a linear or graphical way to see the details of each cluster, including its member functions and their cross-references. 

It offers two approaches for clustering: including all analyzed paths or focusing on a subset filtered by artifacts (functionalities extracted from the binary) with the help of LLM. 

While the first approach is comprehensive, it may include irrelevant library clusters, and the second approach can be inconsistent due to the nature of LLMs but provides a cleaner view by filtering out noisy functions. 

Cluster Relationship graph view

A plugin for the IDA Pro disassembler enhances code analysis by providing context-aware navigation, which classifies functions based on their relationships (clusters) and prefixes their names for easier identification.  

A key feature is the function context table, which displays cluster membership, directly referenced artifacts (APIs, strings, etc.), and indirectly referenced artifacts reachable through execution paths. 

Peek View allows analysts to filter artifacts based on a selected function’s execution path, offering a glimpse of downstream functionality, which allows generating path graphs that visually represent all execution paths leading to a specific artifact. 

Showing side by side versions of an example normal path graph and its corresponding simplified path graph with 20% reduction

It is an IDA plugin that enhances binary analysis by providing cross-reference views, trace navigation, and artifact exclusion, which supports various artifact types, including function calls, strings, and API references. 

By leveraging a Large Language Model (LLM), it analyzes relationships between artifacts and generates semantic descriptions for code clusters, which achieves this by building execution paths between entry points and functions containing artifacts. 

It also supports language-specific analysis through modules, with a built-in Rust module for identification of library usage and basic function renaming.

XRefer settings dialog box

According to Mandiant, XRefer’s initial release focuses on systematic code analysis, prioritizing accuracy over LLM-based summarization, which currently supports cluster analysis of code, providing high-level insights for analysts. 

Future development includes extending cluster analysis to encompass code submissions, researching path-independent clustering for speed improvements, implementing LLM-based cluster merging, ensuring support for non-Windows file formats, and adding support for Golang modules. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago