Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CompromisedWordPressRedirector.
Upgrade to ProDetect Compromised WordPress Sites Weaponized as Malware Distribution Redirectors in Sumo Logic CSE
Rather than standing up adversary-registered infrastructure that carries no reputation and is trivially blocked, actors including TA569 (SocGholish), the Gootloader crew, and Parrot TDS operators mass-compromise legitimate, high-reputation WordPress sites — typically via outdated plugins, stolen admin credentials, or vulnerable themes — and repurpose them as first-stage redirectors and payload-staging hosts. A compromised site is injected with obfuscated JavaScript (a 'fake update' overlay for SocGholish, or SEO-poisoned legal-document lures for Gootloader) that fingerprints the visitor and conditionally redirects first-time, non-crawler visitors through a traffic-distribution-system (TDS) chain to the actor's actual payload or phishing kit, while returning normal content to repeat visitors, bots, and security scanners. Because the compromised domain has years of clean history, a real TLS certificate, and legitimate unrelated content, domain-reputation-based blocking is ineffective; detection must instead focus on (1) the injected-script/traffic-fingerprinting pattern in outbound web traffic, (2) DNS and HTTP indicators of TDS chaining (rapid multi-hop redirects with cloaking headers), and (3) the file-drop/execution pattern that follows a user visiting an otherwise-reputable site and immediately downloading and running an unsigned binary.
MITRE ATT&CK
- Tactic
- Resource Development
Sumo Detection Query
_sourceCategory=*sysmon*
| json auto
| where (TargetFilename matches "*\\Downloads\\*" or TargetFilename matches "*\\Temp\\*")
| where Image matches "*chrome.exe*" or Image matches "*msedge.exe*" or Image matches "*firefox.exe*"
| eval IsScriptExt = if(matches(TargetFilename, "\.(js|hta)$"), "true", "false")
| eval RiskScore = if(IsScriptExt = "true", 80, 60)
| stats count as DownloadCount, values(TargetFilename) as SampleFiles by _sourceHost, Image, RiskScore
| sort by RiskScore desc Sumo Logic detection for browser-initiated downloads of script/installer files into Downloads or Temp, with elevated scoring for raw script extensions consistent with fake-update lure delivery from a compromised legitimate site. Intended to be paired with a downstream execution-correlation query for full-fidelity alerting.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers downloaded and later manually executed
- IT deployment automation staging files in user Temp directories
- Browser update mechanisms writing installer packages to Downloads
Other platforms for THREAT-Infra-CompromisedWordPressRedirector
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Download Followed by Rapid Script-Host Execution (Fake-Update Simulation)
Expected signal: Sysmon Event ID 11: file creation at Downloads\atomic_update.js by powershell.exe. Sysmon Event ID 1: wscript.exe launching atomic_update.js roughly 2 seconds later, with ParentImage referencing the shell chain rather than a browser (adjust InitiatingProcessFileName filter to powershell.exe for this simulation).
- Test 2Simulated Multi-Hop Redirect Chain via Sequential curl Requests
Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: four outbound connections from powershell.exe to four distinct hostnames within approximately 3 seconds.
- Test 3Same Referring URL Accessed From Multiple Simulated Hosts (SEO-Poisoning Pattern)
Expected signal: Sysmon Event ID 3 / proxy logs: outbound HTTPS request to example.com with the atomic_test_lure query string logged.
References (5)
- https://attack.mitre.org/techniques/T1584/006/
- https://attack.mitre.org/tactics/TA0042/
- https://www.proofpoint.com/us/blog/threat-insight/socgholish-fake-browser-updates
- https://www.sophos.com/en-us/threat-center/threat-monitoring/threat-analyses/gootloader
- https://blog.talosintelligence.com/traffic-direction-systems/
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Infra-CompromisedWordPressRedirector — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month