Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CompromisedWordPressRedirector.

Upgrade to Pro
THREAT-Infra-CompromisedWordPressRedirector Google Chronicle · YARA-L

Detect Compromised WordPress Sites Weaponized as Malware Distribution Redirectors in Google Chronicle

Rather than standing up adversary-registered infrastructure that carries no reputation and is trivially blocked, actors including TA569 (SocGholish), the Gootloader crew, and Parrot TDS operators mass-compromise legitimate, high-reputation WordPress sites — typically via outdated plugins, stolen admin credentials, or vulnerable themes — and repurpose them as first-stage redirectors and payload-staging hosts. A compromised site is injected with obfuscated JavaScript (a 'fake update' overlay for SocGholish, or SEO-poisoned legal-document lures for Gootloader) that fingerprints the visitor and conditionally redirects first-time, non-crawler visitors through a traffic-distribution-system (TDS) chain to the actor's actual payload or phishing kit, while returning normal content to repeat visitors, bots, and security scanners. Because the compromised domain has years of clean history, a real TLS certificate, and legitimate unrelated content, domain-reputation-based blocking is ineffective; detection must instead focus on (1) the injected-script/traffic-fingerprinting pattern in outbound web traffic, (2) DNS and HTTP indicators of TDS chaining (rapid multi-hop redirects with cloaking headers), and (3) the file-drop/execution pattern that follows a user visiting an otherwise-reputable site and immediately downloading and running an unsigned binary.

MITRE ATT&CK

Tactic
Resource Development

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule compromised_web_service_redirector {
  meta:
    author = "Detection Engineering"
    description = "Detects browser download-then-execute pattern consistent with a compromised legitimate site serving a fake-update or fake-document lure"
    severity = "HIGH"
    confidence = "medium"
    mitre_attack = "T1584.006"
    reference = "https://attack.mitre.org/techniques/T1584/006/"

  events:
    $download.metadata.event_type = "FILE_CREATION"
    $download.target.file.full_path = /(?i)\\(Downloads|Temp)\\.*\.(js|hta|msi|exe|zip)$/
    $download.principal.process.file.full_path = /(?i)(chrome|msedge|firefox)\.exe/

    $exec.metadata.event_type = "PROCESS_LAUNCH"
    $exec.principal.process.file.full_path = /(?i)(wscript|cscript|powershell|mshta)\.exe/
    $exec.target.process.command_line = $download.target.file.full_path

    $download.target.asset.hostname = $exec.target.asset.hostname

  condition:
    $download and $exec
}
high severity medium confidence

Google Chronicle YARA-L 2.0 detection correlating a browser-initiated file download in Downloads/Temp with a subsequent scripting-engine execution referencing that same file path on the same host — the drive-by/fake-update execution pattern typical of compromised legitimate WordPress sites serving SocGholish or Gootloader-style lures.

Data Sources

Google Chronicle SIEMFile eventsProcess events

Required Tables

FILE_CREATIONPROCESS_LAUNCH

False Positives & Tuning

  • Legitimate auto-updater software downloading and self-executing an installer
  • IT deployment scripts writing and then invoking a helper script from Temp
  • Manual user download-then-run of a legitimate vendor-provided tool

Other platforms for THREAT-Infra-CompromisedWordPressRedirector


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Download Followed by Rapid Script-Host Execution (Fake-Update Simulation)

    Expected signal: Sysmon Event ID 11: file creation at Downloads\atomic_update.js by powershell.exe. Sysmon Event ID 1: wscript.exe launching atomic_update.js roughly 2 seconds later, with ParentImage referencing the shell chain rather than a browser (adjust InitiatingProcessFileName filter to powershell.exe for this simulation).

  2. Test 2Simulated Multi-Hop Redirect Chain via Sequential curl Requests

    Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: four outbound connections from powershell.exe to four distinct hostnames within approximately 3 seconds.

  3. Test 3Same Referring URL Accessed From Multiple Simulated Hosts (SEO-Poisoning Pattern)

    Expected signal: Sysmon Event ID 3 / proxy logs: outbound HTTPS request to example.com with the atomic_test_lure query string logged.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Infra-CompromisedWordPressRedirector — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections