TL;DR (Too Long; Didn’t Read)
We have implemented ChatGPT 4 to generate wholly unique websites, which act as a façade for our adversary simulation infrastructure. This development considerably reduces the likelihood of detection and reporting by anti-virus vendors and clients. This integration is a novel addition to our toolkit, although the concept of using such fronts is a longstanding strategy among threat actors. What sets our approach apart is the incorporation of Generative AI technologies, streamlining the process and saving time.
While we adopt a multifaceted approach to elude EDR/XDR detection and other security frameworks, incorporating a range of protective methods and tactics, the integration of ChatGPT into our strategy stands out as a significant enhancement.
Infrastructure insight
Our infrastructure is built on a core principle, one that threat actors have adhered to for years: our Command and Control (C2) server must stay hidden to guarantee the effectiveness of our operations. Direct exposure of our C2 server to the internet would result in its swift detection since many anti-virus providers and other entities use bots to search the internet for malicious services.
Figure 1 Hiding your C2 infrastructure.
To mitigate this risk and emulate scenarios akin to those of advanced threat actors, one strategy we employ involves concealing our Command and Control (C2) server behind a façade that mimics a legitimate website. This site is subject to regular scrutiny by anti-virus bots, which detect no irregularities, thereby keeping our actual C2 server concealed from direct online exposure. The only method to establish communication with the C2 server involves sending requests to this decoy website, which then quietly tunnels them to the C2 server. This technique, combined with other anti-scan and bot protection services, effectively protects our infrastructure from detection.
Infrastructure challenge
As red teaming missions proliferate, there is an increasing need for novel domain names and new websites. While we could reuse a single adaptable website across various domain names, its constrained customization features could lead to fingerprinting. Such identifiable marks might enable the tracking of all associated domains using the same website template through platforms like Shodan. Moreover, we aimed to devise a method to craft unique websites that we can seamlessly integrate and deploy in our containerized environment, greatly simplifying the deployment process.
Solution – When AI comes into play
Choosing the right framework
Initially, it was essential to select a framework that wouldn’t create a surplus of files, as that would complicate our operations unnecessarily. Consequently, we chose Python, employing Flask and Jinja for their simplicity. The straightforwardness in development, maintenance, and utilization of these technologies influenced this decision. They provide a simplified method for developing unique websites that can be efficiently deployed within our containerized setup.
Leveraging AI for dynamic website generation
While it was possible to manually create and repeatedly reuse a series of websites with minor adjustments to HTML, CSS, and JS, we’re leveraging the capabilities available in 2024. AI enables us to automate and enhance the process of website generation, offering a dynamic and scalable solution that generates unique, and difficult to fingerprint, fronting websites.
Figure 2 🙂
Website configuration and generation details
Our approach incorporates a Python “Website Generator”, a Flask application, and a YAML configuration file, enabling swift and flexible website configuration. Users can specify various parameters like name, title, description, domain, content data sources, CSS framework, and prompt modifiers to tailor the generation process according to the specific scenario.
System configuration and daily updates
In the planning phase, we assessed that a website featuring daily updates and changes would have a reduced likelihood of being perceived as malicious. Consequently, we developed a tool to incorporate a “data source,” ensuring the website is refreshed with new content every 24 hours. The “data source” configuration is adaptable, facilitating connections with multiple data sources, such as newsapi, RSS feeds, and static data. The system’s design is simple and allows for easy growth. Using Python and YAML, you can easily expand the system by incorporating additional content sources to meet the project’s needs.
website:
code_name: "ecoglobechronicles"
prompt_jinja2_data:
name: "Embrace the Eco Pulse"
title: "Eco Sphere Daily Insights"
description: >
"Dive into the world of environmental news with Eco Sphere Daily Insights.
Get the latest updates and in-depth analysis on everything related to our planet's ecosystem, including climate change, biodiversity, renewable energy, and more."
domain_name: REDACTED
data_source:
source: "newsapi"
query: "environment"
prompt_modifier: >
1. Create an advanced website using components from the specified framework (complex layout, carousel, headers,
navbar, pagination, typography, fonts, album, blog, custom jumbotron, sticky footer/header, pricing for news subscription, features).
2. Define a modern color palette inspired by nature and apply it across the website's CSS and HTML.
4. Design the website to be extensive and intricate, reflecting the complexity and interconnectivity of our ecosystem.
5. Integrate environmentally themed icons and graphics to enhance user engagement and convey the website's focus.
frameworks:
- name: "Bootstrap"
cdn: "https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.min.js"
- name: "tailwind"
cdn: "https://cdn.tailwindcss.com"
Ensuring dynamic content availability
To ensure that the prompt and Flask application know the data available for inclusion in the template, we developed a process. This process determines the available Jinja keys from sample data pulled before the prompt generation. This approach ensures that as the data source and prompt_jinja2_data change, the website generation remains functional and complete.
Integration and deployment
This information is processed by the WebSiteGenerator, which constructs a comprehensive prompt and interacts with ChatGPT to produce the necessary HTML, CSS, and JS for the website. Once generated, this code, along with its configuration, is stored on the disk. Subsequently, a Docker container running the Flask app is initiated. Although we had the option to embed configuration data directly within the HTML, we opted for a more flexible approach. The YAML configuration remains editable post-ChatGPT generation, allowing for adjustments and further customization at any stage.
Figure 3 Website generation process.
Cost
After three days of development and testing with ChatGPT 4 Turbo, the total cost came to $5. Creating a website usually costs between 2 and 5 cents, which is pretty cheap. This cost estimate isn’t exact, but it shows how unexpensive it is.
Figure 4 ChatGPT 4 Turbo overall cost.
Conclusion
We are impressed by ChatGPT’s ability to generate sophisticated website fronts across different frameworks at low cost. This technology enables the creation of diverse fronts that evade fingerprinting, preventing the detection of other instances. However, we see potential for further enhancement through the development of a multi-prompt website creation approach. This would facilitate the generation of fully interactive websites by producing both frontend and backend source code. Such a process could execute on a Python backend, leveraging inheritance and parent classes to streamline the development.
Examples
In conclusion, here are some of the websites. Interestingly, they are not only quite visually appealing but also responsive!
Ecology
Finance
Finance 2
Crypto
