Sadogo
Malware⚠️ Overview
Sadogo is a Go‑based backdoor and cryptocurrency miner dropper first identified by Aqua Security in June 2021. It targets misconfigured Docker environments by exploiting exposed Docker daemon APIs, and is operated by an unidentified financially motivated threat actor. The malware belongs to the category of cryptojacking and container‑targeted malware, often deployed as part of a larger attack chain against cloud infrastructure.
🔧 Technical Capabilities
Sadogo propagates by scanning public IP ranges for Docker REST APIs exposed on TCP port 2375 (unencrypted) and 2376 (TLS). Once found, it uses Docker’s remote API to pull a malicious container image named sadogo that includes the XMRig Monero miner and a C2 backdoor component. The backdoor establishes outbound HTTPS connections to command‑and‑control (C2) servers using DNS‑over‑HTTPS (DoH) to evade network monitoring. For persistence, it modifies the host’s iptables rules and Docker restart policies, ensuring the container resumes after system reboots. Evasion techniques include runtime encryption of miner binary strings and periodic check‑ins with long intervals to avoid detection.
📜 History & Notable Incidents
First reported in Aqua Security’s June 2021 threat research (blog.aquasec.com/sadogo‑malware‑docker), Sadogo primarily targeted cloud environments in North America and Asia during Q3 2021. No high‑profile victim names have been publicly disclosed, but the campaign infected hundreds of exposed Docker hosts. No CVEs are directly associated with Sadogo; instead it exploits the misconfiguration documented in MITRE ATT&CK technique T1525 (Implant Internal Image) and T1046 (Network Service Scanning). No law enforcement actions have been reported against the operators as of early 2023.
🔍 Detection Indicators
Host‑based indicators include the presence of a Docker container named sadogo or an image named sadogo in the local repository. Network IOCs include outbound HTTPS traffic to domains registered with anonymizing services (e.g., `sadogo[.]xyz` reported in Aqua’s analysis). Behavioral signatures include unusual CPU usage from the XMRig process and repeated API calls to TCP 2375/2376 from scanning hosts. No specific file hashes have been officially published; detection relies on network and container behavior.
☠️ Risk & Impact
Impact includes unauthorized cryptocurrency mining (Monero) consuming host CPU resources, leading to degraded performance and increased cloud costs. The backdoor component can exfiltrate environment variables, credentials, and container secrets, enabling lateral movement within compromised cloud accounts. The primary affected sector is cloud service providers and enterprises using unsecured Docker deployments, with financial losses estimated from mining electricity and replacement infrastructure costs.
🛡️ Mitigation
Recommended defenses include disabling remote Docker API access on port 2375/2376, enabling TLS client certificates for legitimate administration, and implementing network segmentation. Aqua Security released YARA rules and a detection script (available from their GitHub repository) to identify Sadogo container images. Regular scanning of container registries and runtime behavioral monitoring can also detect the malicious image.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.