One of the most devious malware strains might have been cracked - and it's all thanks to Gen AI

News
By published

ChatGPT to the rescue, once again

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Check Point used GenAI to semi-automate reverse engineering of the evasive XLoader infostealer
  • AI decrypted code, revealed APIs, and uncovered 64 hidden C2 domains and sandbox evasion tricks
  • XLoader evolved from Formbook; AI boosts analysis speed but doesn’t replace human malware analysts

Cybersecurity researchers from Check Point Research may have just cracked one of the most devious malware families to have ever existed, thanks to Generative Artificial Intelligence (GenAI).

In a new blog post, the researchers explained how analyzing malware is a slow, manual process that requires researchers to “unpack binaries, trace functions, and build decryption scripts”. Analyzing XLoader - an infamous infostealer that’s been around for roughly half a decade - is even more difficult, because it cannot be sandboxed.

That’s when Check Point turned to AI for assistance. Using ChatGPT, the researchers combined two complementary workflows: cloud-based static analysis, and MCP-assisted runtime analysis. The first exports data from IDA Pro and lets the AI analyze it in the cloud. “The model identified encryption algorithms, recognized data structures, and even generated Python scripts to decrypt sections of code,” the researchers explained.

Unpacking XLoader

The second connected the AI to a live debugger to extract runtime values such as encryption keys, decrypted buffers, and in-memory C2 data. “This hybrid AI workflow turned tedious manual reverse engineering into a semi-automated process that’s faster, repeatable, and easy to share across teams.”

Check Point was impressed with the results. They claim to have decrypted core code, revealed encryption layers, unmasked hidden APIs, recovered 64 hidden C2 domains, and discovered a new sandbox evasion mechanism called “secure-call trampoline”.

In short, AI helped unpack how XLoader hides, communicates, and protects itself, which is crucial information in the fight against infections. Still, Check Point stressed that despite the great work, AI “doesn’t replace malware analysts” but rather “supercharges” them with speed, reproducibility, insight, and defense.

Earliest records of XLoader date back to 2021, when Check Point Research saw it in the wild, stealing data from MacOS users. It evolved from the infamous Formbook malware that, at the time, was active for over five years. While Formbook was initially created to be a simple keylogger, it was upgraded and rebranded as XLoader. Formbook was used to primarily target Windows users.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.