- Check Point used GenAI to semi-automate reverse engineering of the elusive data thief XLoader
- AI cracked code, revealed APIs and found 64 hidden C2 domains and sandbox evasion methods
- XLoader advanced from Formbook; AI will increase evaluation velocity however doesn’t change human malware analysts
Cybersecurity researchers at Check Point Research could have cracked one of the crucial devious malware households to ever exist, due to Generative Artificial Intelligence (GenAI).
in a brand new weblog submitThe researchers defined how analyzing the malware is a time-consuming handbook course of that requires researchers to “unpack binaries, hint features, and create decryption scripts.” Analyzing XLoader, an notorious data thief that has been round for about half a decade, is much more troublesome, as a result of it can’t be remoted.
That’s when Check Point turned to AI for assist. Using ChatGPT, the researchers mixed two complementary workflows: cloud-based static evaluation and MCP-assisted runtime evaluation. The first exports information from IDA Pro and permits AI to research it within the cloud. “The mannequin recognized encryption algorithms, acknowledged information buildings, and even generated Python scripts to decrypt sections of code,” the researchers defined.
Unpacking XLoader
The second linked the AI to a reside debugger to extract runtime values corresponding to encryption keys, decrypted buffers, and in-memory C2 information. “This hybrid AI workflow turned tedious handbook reverse engineering right into a semi-automated course of that’s quicker, repeatable, and simpler to share throughout groups.”
Check Point was impressed with the outcomes. They declare to have cracked the core code, revealed layers of encryption, unmasked hidden APIs, recovered 64 hidden C2 domains, and found a brand new sandbox evasion mechanism referred to as “protected calling springboard.”
In brief, AI helped uncover how XLoader hides, communicates and protects itself, which is essential data within the combat in opposition to infections. Still, Check Point emphasised that regardless of the good work, AI “doesn’t change malware analysts” however quite “supercharges” them with velocity, reproducibility, perception and protection.
The first information of XLoader date again to 2021, when Check Point Research noticed it within the wild, stealing information from MacOS customers. It advanced from the notorious Formbook malware which, on the time, was lively for over 5 years. While Formbook was initially created to be a easy keylogger, it has been up to date and renamed XLoader. Formbook was primarily used for Windows customers.