### Security # Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign #### NEW CAMPAIGN USES ATTACK INFORMATION SNUCK INTO IMAGES DISTRIBUTED VIA SOCIAL NETWORKS www.bitdefender.com ----- ## Contents Summary.........................................................................................................................................................3 Technical analysis..........................................................................................................................................4 Initial access...................................................................................................................................................4 Execution flow.................................................................................................................................................5 Entry Point..............................................................................................................................................................................6Contents Resolving Dependencies. Repeating Patterns in Code.................................................................................................6 Decompressing Code from Resource...............................................................................................................................8 Process Injection...................................................................................................................................................................8 Downloading PNG from Imgur...........................................................................................................................................9 Moving with Execution to a New Buffer.........................................................................................................................10 Decoding PNG File..............................................................................................................................................................10 Remcos Agent.....................................................................................................................................................................12 Injection into mstsc.exe and Remcos Agent Execution..............................................................................................13 Defense evasion techniques........................................................................................................................14 Hosting payloads on Imgur..........................................................................................................................14 Mapping DLLs instead of conventionally loading them.............................................................................14 COM usage....................................................................................................................................................15 Impact............................................................................................................................................................15 Campaign distribution..................................................................................................................................15 Conclusion.....................................................................................................................................................16 Bibliography...................................................................................................................................................17 MITRE techniques breakdown.....................................................................................................................17 Indicators of Compromise............................................................................................................................18 Hashes...........................................................................................................................................................18 C&C domain...................................................................................................................................................18 **Author:** János Gergő SZÉLES Senior Security Researcher@ Bitdefender ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ## Summary In the late summer of 2020, the Bitdefender Active Threat Control team noticed a surge of Remcos malware, with most of the attacks taking place in Colombia. While the malware family has been known for quite a while to cyber-criminals and malware researchers alike, this new campaign captured our attention as it arrived on the victims’ computers via phishing e-mails related to financial services and COVID-19 information. Remcos is a remote control and surveillance software developed and distributed by an organization called Breaking Security [1][2]. Since 2017, when it first appeared on the market [3], Remcos has gained popularity among cyberattackers and even made it into the arsenal of APT actors like the Gorgon Group and APT33 [4]. As this Remote Access Trojan (RAT) spreads via phishing e-mails, the COVID-19 pandemic has created an ideal environment where malware authors could reach and exploit even more victims than usual. One technical peculiarity that caught our attention was the communication with Imgur, a viral image-hosting platform. Our analysis observed that malware authors abused the Imgur service to host malicious payloads encoded in images – a technique called steganography. Using image-hosting services to deploy malicious payloads opens new infection vectors, as such websites are generally popular and whitelisted by security solutions, so connections to them are not suspicious. Moreover, by using custom steganography algorithms on the images, detecting encoded malicious payloads with static detection is virtually impossible. We have already seen Remcos variants that used steganography to unpack code [5], but so far, the images have been embedded in the deployed executable file, not downloaded from Imgur. In the attack we observed, the malware used several evasion techniques to ensure its success. Among the most interesting are the following: - Mapping DLLs into the address space and resolving functions in the mapped file instead of the conventional LoadLibrary + GetProcAddress function calls - Using COM for various functionalities - Hosting payloads on Imgur and employing a custom steganography algorithm to encode and decode data - Multiple layers of code injection to hide malicious actions behind seemingly legitimate processes - Anti-reverse-engineering tricks to force a human malware analyst to spend more time on the sample. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ## Technical analysis This research paper covers technical aspects of this attack, with a particular focus on the most important steps taken between the initial phishing e-mail and the final execution of the Remcos Agent. ## Initial access The malware spreads via phishing emails that reference COVID-19 or financial topcis, andembed a malicious link. The carefully crafted message invites the victim to download the ZIP file by following the link and double click the executable contained. We captured a phishing mail that shows the delivery link. The e-mail poses as a message from the Ministry of Health of Colombia. It states that the receiver has violated the health regulations against the prevention and spread of diseases and that the person is fined 936,000 pesos. Should the message convince the user, they will proceed with downloading and running the executable file. **Fig.1. An E-mail with a spear-phishing link** The download link is hxxps://app[.]getresponse[.]com/click[.]html?x=a62b&lc=B7eg5s&mc=99&s=BE7A3gg&u=Qzvx**f&z=EJQbVyH& and the downloaded executable has the same name as the link’s text, so in our example’s case, it is** _sancion e90252gf violacion a las normas sanitarias.exe._ The e-mail headers show some inconsistencies. The mail seems to originate from prevencion-covid19.com.co, but the headers reveal the original domain of the attacker, the same one that hosts the malware. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign Reply-To: @prevencion-covid19.com.co Sender:-prevencion-covid19-com-co@getresponse-mail.com Subject: Penalizaci�n por Incumplimiento a las Normas De Bioseguridad Contra la Propagaci�n del (COVID-19) To: X-Complaints-To: abuse@getresponse-mail.com X-Original-Sender: @prevencion-covid19.com.co X-Original-Authentication-Results: mx.google.com; dkim=pass header.i=@getresponse-mail.com header.s=k1024c header.b=CJHmqPcU; spf=pass (google.com: domain of bounce-119262801@bounce.getresponse-mail.com designates 104.160.65.80 as permitted sender) smtp.mailfrom=bounce-119262801@bounce.getresponsemail.com ## Execution flow **Fig.2. Execution flow** At a glance, Procmon reveals that the malware performs most of its actions in a possibly injected process, extrac32.exe, started by Remcos Loader. The suspicious fact was that, with API monitoring tools, we did not observe any functions that would indicate code injection into extrac32.exe. During reverse-engineering, we found the technique by which the malware managed to hide this action. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig.3. Download action from extrac32.exe** Looking at the downloaded PNG file, we can identify a block of pixels that seems out of order. This first block contains hidden code, but no standard steganography tool can extract anything from the image. **Fig.4. Downloaded PNG with steganography** In the following pages, we will walk you through the behavior of the malware from execution until the Remcos Agent gets to run on the system. #### Entry Point We found a piece of code that loads the string “extrac32.exe” and decrypts the download URL and stores it on the stack. **Fig.5. The string “extrac32.exe” used in code** **Fig.6. At the end of the function call, the Imgur link appears on the stack** #### Resolving Dependencies. Repeating Patterns in Code. After the URL is decrypted, the malware calls a function that has ~1,000 lines when decompiled, full of anti-static analysis tricks, but also features some repeating patterns. With static analysis alone, it would be impossible to deduce which functions are resolved by Remcos Loader There are also no conventional calls to APIs as the malware uses various ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign function wrappers with parameters in a different order than in the API’s header. Right at the beginning of the function, the malware searches for the Image Base of both ntdll.dll and kernel32.dll. The locations are obtained from the PEB of the current process from the loaded modules list. Then, to resolve its dependencies, the code calls a function that walks over the exports of the previously found DLLs and searches for function addresses based on the hash provided in the argument. We named this function GetProcAddress_functionality. The returned values are addresses of the resolved functions, and they are stored in local variables as function pointers. This pattern of resolving functions by hash repeats throughout the execution of the malware, even in injected code, and it allows the malware to hide its functionality from reverse-engineers and automatic tools that parse dependencies because the import table of the malicious executable is limited to a few default functions. **Fig. 7. Resolving dependencies with GetProcAddress_functionality** Another pattern in this function is the way it displays some integer numbers in the debugger console by calling DbgPrint to mark the progress of the injection. The author of the loader might have used these messages for debugging purposes. **Fig. 8. Repeatedly calling displayDebugInt that calls DbgPrint** Going deeper into the function, we observed why API monitoring failed to give us information about code injection. The malware evades detection based on user-mode API hooking by mapping ntdll.dll and kernel32.dll in its address space, obtaining the addresses of functions in the mapping, and executing the code directly with the help of a wrapper function that we named function_caller. **Fig. 9. Mapping ntdll.dll in memory and identifying function offset in the mapping** ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 10. Calling the function wrapper which executes code in the mapping** #### Decompressing Code from Resource After resolving the required functions and obtaining their addresses in the mapping, the malware decompresses a buffer of code from a resource. **Fig. 11. Decompressing the code which will be injected** #### Process Injection For the process injection to occur, the malware creates the victim process as suspended first. **Fig. 12. Calling CreateProcessW to create a suspended process** It then writes the decompressed code along with the Imgur link (received in first argument a1) and another memory buffer in the victim process. **Fig. 13. Code Injection** **Achieving Execution in First Victim** Next, the malware makes sure it achieves execution in the victim process. To do this, it first creates a new section that will contain a trampoline to the injected code. **Fig. 14. Creating a new section for the trampoline** Then, it sets the instruction pointer of the victim process to point to the trampoline in the new section with the help of _NtSetContextThread. Finally, it makes the new section executable (NtProtectVirtualMemory) and resumes the main thread_ of the victim process. **Fig. 15. Making the new region executable and resuming the thread** **Execution in extrac32.exe** From this point onward, the execution moves into extrac32.exe starting with the trampoline previously written in its mem ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 16. Trampoline which jumps to the injected code** If we follow this jump, we get to a function responsible for downloading the PNG file and decoding the data from it. First, it resolves some function pointers (LoadLibrary, swprintf, CoCreateInstance, etc.) in the same manner as we have seen in the parent process. **Fig. 17. Resolving dependencies in the injected code with the same GetProcAddress_functionality** #### Downloading PNG from Imgur Execution then lands at a piece of code that downloads a file from the link injected before. **Fig. 18. Download function** There are two download attempts for redundancy. The first one is evasive, and it tries to download the file via the BITS (Background Intelligent Transfer System) COM object. If this fails, a more traditional approach is used, with the help of functions from wininet.dll. In the BITS download function we have identified that the COM object with CLSID _{4991d34b-80a1-4291-83b6-_ _3328366b9097} is instantiated. The CLSID corresponds to BITS class 1.0, capable of downloading files from the internet._ Then, we have identified the interface {5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C} which stands for IBackgroundCopy_Manager, capable of instantiating download jobs and tracking their progress. After completing the structures in IDA, the_ function reveals itself. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 19. Download with BITS** #### Moving with Execution to a New Buffer After the download finishes, the execution moves to a newly allocated buffer, where a piece of the injected code was copied. This is yet another anti-reverse trick that makes code that is hard to track in static analysis. **Fig. 20. Allocating new buffer and copying a part of the code** In this new buffer, the malware obtains function pointers in every function the way it did in the parent process, with the help of the hashes of function names. First, it opens the PNG file: **Fig. 21. Resolving CreateFileA and opening the PNG file** ##### Decoding PNG File The decoding step starts with the allocation of a buffer big enough to fit the whole file in it and calls a function that is responsible for decoding the data from the PNG file. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 22. Allocating result buffer and decoding steganography** In the decode function, the malware reads the contents of the PNG file, parses the headers of the PNG to obtain metadata, then reads the first IDAT chunk that contains the steganography data. The malware builds a compressed buffer by reading the PNG sequentially and taking the three least significant bits for each pixel, placing the resulting values in the resulting buffer in a “shuffled” place with the help of a small lookup table defined at the start of the function. **Fig. 23. Lookup table for placing bytes** **Fig. 24. Taking 3 LSB and storing in a buffer** ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 25. Resulting compressed buffer** In the following steps, the code allocates a buffer big enough to contain the result, and it unpacks the packed data. From the resulting buffer, we can recognize two process names: regsvr.exe and mstsc.exe followed by an MZPE. **Fig. 26. Unpacked buffer containing Remcos Agent** #### Remcos Agent The MZPE is identifiable as Remcos Agent from its embedded strings. It is version 2.5.1 Pro (released on 5th July 2020) and has the hash 576B290CCD3E5B9C172793F46E2E02F1. ``` * BreakingSecurity.Net * Remcos v 2.5.1 Pro ``` The malware takes its configurations from an embedded resource called RCData, which is encrypted with RC4. After the malware decrypts this buffer, we can see the C&C to which it connects, along with the name of the folder where it will save data. The C&C domain is chasefre[.]chasefre[.]pics ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 27. Remcos Agent config, containing the C&C** Remcos has all its functionalities documented on the company’s website [2], the core commands being: **Command Name** **Description** Clipboarddata Getclipboard SetclipClipboard operations board Emptyclipboard deletefile Delete file Download a file from a specified URL and execute it on an infected downloadfromurltofile system execcom Execute a shell command filemgr File manager getproclist Obtain a list of the running processes initremscript Execute remote script from C&C keyinput Keylogger msgbox Display a message box on an infected system openaddress Open a specified website OSpower Shutdown, restart, sleep operations ping Ping an infected system prockill Kill a specific process regopened regcreatekey regeditval regAdd, edit, rename or delete registry values and keys delkey regdelval regopen initregedit scrcap Screen capture sendfiledata Upload data to C&C server uninstall Uninstall itself from an infected system #### Injection into mstsc.exe and Remcos Agent Execution Finally, the extrac32.exe process starts mstsc.exe and injects the Remcos Agent binary into it to achieve execution. The malicious payload checks if persistence is already present on the system and, if not, it makes a copy of the original malware into \AppData\Roaming\Microsoft\regsvr.exe, creates a shortcut file that launches it and schedules a task to execute it periodically by writing a .job file in C:\Windows\Tasks\. The file operations are not done by conventional calls to _WriteFile, but by using COM objects for filesystem interaction._ ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 28. Persistence check** **Fig. 29. Writing .job file to schedule task** After achieving persistence, it periodically checks after some malware-specific settings, which appeared in the decrypted configurations as well, and it dumps data in a log file in \AppData\Roaming\frepink\logs.dat. This file is encoded to hide contents from reverse-engineers. **Fig. 30. Checking the registry keys provided in the config** **Fig. 31. Writing collected data in file** ## Defense evasion techniques Remcos is a well-known RAT, detectable by most AVs. Therefore, attackers need to use various defense evasion techniques to deliver payloads and achieve execution. The attack we observed contains some interesting techniques to mention. ## Hosting payloads on Imgur Encoding code with steganography into images and hosting them on Imgur creates opportunities for attackers to bypass security checks. Image-hosting platforms are legitimate, and connections to these websites do not raise suspicion. Moreover, using a custom steganography algorithm makes it challenging to add static detection on images that may host malicious payloads. ## Mapping DLLs instead of conventionally loading them The malware tries to keep its number of imported functions at a bare minimum to avoid giving malware analysts and automatic tools hints about its behavior. Instead, it resolves dependencies during run-time. However, it does not call _LoadLibrary to load a DLL and GetProcAddress to search for a specific function, as this would allow API monitoring tools_ and user-mode hooking to identify function calls. The chosen approach is to create a file mapping for the required DLL, make the memory region executable, and search for a function based on the hash of the function’s name. This way, the malware can call the needed API from a memory region that is outside the PEB’s loaded module list, and therefore undetectable by user-mode hooking. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ## COM usage It has recently become popular in malware to use COM objects to interact with the operating system. Since COM performs actions outside of the context of the calling process, it is challenging to detect them. Remcos uses the BITS COM object to download the PNG from Imgur and the FileOperation interface to create a copy of the original executable into \ _AppData\Roaming\Microsoft\regsvr.exe_ ## Impact Just like any Remote Access Trojan, Remcos generally runs on the system without the user’s knowledge and allows attackers to collect files from the computer, record the screen, microphone, and camera, and even execute other pieces of malware. With so many evasion techniques, Remcos is hard to observe on the system once it runs. The most important defensive actions a user can take are to avoid opening links in suspicious e-mails, watch out for anything that seems odd, and avoid executing .exe files downloaded from untrusted links. ## Campaign distribution We noticed this strain of Remcos originating from various cities in Colombia. Most of the detections originate from Bogotá, while the rest are scattered around the region. ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign **Fig. 32. Heatmap of detections in Colombia** **City** **Unique IP Count** Bogotá 171 Medellín 65 Santiago de Cali 17 Chia 7 Barranquilla 7 Bucaramanga 4 Ibague 4 Floridablanca 3 Cúcuta 3 Ocaña 2 Santa Marta 2 Tunja 2 Sogamoso 2 Barrancabermeja 2 Cartagena 1 Santa Rosa del Sur 1 Villavicencio 1 Duitama 1 Rionegro 1 Manizales 1 Facatativá 1 Buenaventura 1 Valledupar 1 Palmira 1 Itaguei 1 Chinchina 1 Buenavista 1 Yopal 1 La Calera 1 Florencia 1 Pitalito 1 Montería 1 Los Patios 1 Bello 1 ## Conclusion The COVID-19 pandemic offered a new environment in which cybercriminals can exploit users’ curiosity with phishing e-mails. In such an ecosystem, malware like Remcos can infect lots of computers, and attackers constantly improve their techniques to reach even more victims. In this campaign targeting Colombian users, the attackers delivered their payload encoded in images with steganography and hosted on Imgur. They also used techniques to evade static and dynamic detection by manually resolving the malware’s dependencies and by using COM objects to interact with the operating system. The malware also ensured its persistence on the infected system with scheduled tasks and shortcut files placed in the Startup directory. Remcos, like any other RAT, can exfiltrate information from the victim’s computer and run other malware at the attacker’s demand. The most efficient way to defend against such threats is to raise awareness about phishing e-mails and to avoid running executable files originating from suspicious sources. |City|Unique IP Count| |---|---| |Bogotá|171| |Medellín|65| |Santiago de Cali|17| |Chia|7| |Barranquilla|7| |Bucaramanga|4| |Ibague|4| |Floridablanca|3| |Cúcuta|3| |Ocaña|2| |Santa Marta|2| |Tunja|2| |Sogamoso|2| |Barrancabermeja|2| |Cartagena|1| |Santa Rosa del Sur|1| |Villavicencio|1| |Duitama|1| |Rionegro|1| |Manizales|1| |Facatativá|1| |Buenaventura|1| |Valledupar|1| |Palmira|1| |Itaguei|1| |Chinchina|1| |Buenavista|1| |Yopal|1| |La Calera|1| |Florencia|1| |Pitalito|1| |Montería|1| |Los Patios|1| |Bello|1| ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ## Bibliography [1] https://attack.mitre.org/software/S0332/ [2] https://breaking-security.net/remcos/, https://breaking-security.net/wp-content/uploads/dlm_uploads/2018/07/ Remcos-Instructions-Manual-rev17.pdf [2] https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2 [3] https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ [4] https://malware.news/t/remcos-rat-matroska-like-file-execution/36276 ## MITRE techniques breakdown |Initial Access|Execution|Persistence|Defense Evasion|Collection| |---|---|---|---|---| |Phishing: Spearphishing Link|Scheduled Task/Job: Scheduled Task|Scheduled Task/Job: Scheduled Task|BITS Jobs|Audio Capture| ||User Execution: Mali- cious File|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|Obfuscated Files or Information: Steganog- raphy|Clipboard Data| ||||Process Injection: Thread Execution Hi- jacking|Input Capture: Keylog- ging| ||||Process Injection: Porta- ble Executable Injection|Screen Capture| |||||Video Capture| ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ## Indicators of Compromise Hashes 9751e6f12b24bdad7d2117f2c7020ade c8812dea8359f0571a7a521555f6137b 00fab7f57f73de1674add42371ed4340 9ad91ac861bd26a641fa1fe15b1d5f01 586aa60c78951b25defba589401c2174 b21cf79417a5261253785ffe8b0baa39 8f04f9bbc5183961a2af1e015a4f326e 62f99deef7bff208ef33e7175ba976a4 2acbfbd0b6c407fb3c7a0cc5c7a39d77 58400a2b2975c50e9f2d27aa22aeceed 8701cbe86982a1c6d04b177732df16bc 931ca95414349919998757f4ba2137b1 29f75d75e2c9732222cefc17598491b8 8768d2b0bbead95202f82306c351bb04 bd480943a64a5f2ebf14bca30d7b74d9 c23032a02c86bdf850be046a111933c9 24075ad898cb5a3ca2a4d3a04c755075 8d6e8a43513d71092ba4d077bb57299c 24953d1a545b6139417382036b8fdd48 e39f56b84501f3b0c2eeb214c7426993 bad4d901ab3590fbcfe07a764f01b663 574e5bb98b3fb186f9e009fd2b654d1b c5dd9a4b30b0510f0f637e2bb20ff13e 94270d5fe5827cdb9f25a8c6d1280df5 6d0190cc7714b3cdf7f43b7a59d3abdd a51978f4e9ef5d04358e16f3ca160b3a 879ff585f0976df2eb099614222fdbfb dfeb455b3878c3920585faf5d0da5a68 cc722e903b29275c81bc8cc4c5ba7582 7de84434250d80b048a7aa70618caade ## C&C domain **chasefre[.]chasefre[.]pics** 51e63285ada982262b89eff033caf239 8cf44952e574fc426cad06b4029b5c8f 1aba42a1af152852dfc8c1091253a5f5 8cc83c95194f03af1f76378d79ad4809 3db5cd752a237d821789a3c4915f3b81 6acf97a698c003f9f9f9ea1d220a8650 d295ab15e8689727c79bdefae41dfa53 70f15f656363ff2966eb1c7fdd4001e7 68f96be42d45e549efe42ae00220d167 8d10c9c606cb53adf7291d91da414526 f7e8af73e25b7f01a1b54aad37c7ac71 431bf295cfa0bebec5bdfd25f7aa1003 6b9e4cac8fb1f2a53060bc591457925c b4eaeacdc6b98e632d69c37463a1537a 51378f5f8eeb405c3219beb6afdf4db9 84f6c94adbb2ddc4fee92ae06576906e 5f8c8a1f889908fca0b1c0a225349c7d 084392f38c3cc2b9d44a08f230031720 28d04f80e35e0360f2cbf3c0161595ce d65cf6d2df9abf45894a07a0a526675b ad258cdcb627ec39da06d596eafa345b 89ad81614f311ea176e0a28d4014f1a1 af9913f05a836f8b9975225228885909 6fa4894d46e9fbee4aa1e8a48304acd5 a5a038dfa4cfc0bdd944ccbd3dfa63ac c4310d5520178204e3b0976c871a0389 e85b8ba78e6ed6a43b803b0de65003c1 c7bb02bb4b6ce2e88ba2a3add862caf1 ecd1ac22ad1376f5ec4e493291a31c1e ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ----- Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign ----- #### Proudly Serving Our Customers Dedicated To Our +20.000 Worldwide Partners Bitdefender provides solutions and services for small business and A channel-exclusive vendor, Bitdefender is proud to share success with tens of medium enterprises, service providers and technology integrators. We take thousands of resellers and distributors worldwide. pride in the trust that enterprises such as Mentor, Honeywell, Yamaha, **Speedway, Esurance or Safe Systems place in us.** _CRN 5-Star Partner, 4th Year in a Row. Recognized on CRN’s Security 100 List. CRN Cloud_ _Partner, 2nd year in a Row_ _Leader in Forrester’s inaugural Wave™ for Cloud Workload Security_ _More MSP-integrated solutions than any other security vendor_ _NSS Labs “Recommended” Rating in the NSS Labs AEP Group Test_ _3 Bitdefender Partner Programs - to enable all our partners – resellers, service providers_ _SC Media Industry Innovator Award for Hypervisor Introspection, 2nd Year in_ _and hybrid partners – to focus on selling Bitdefender solutions that match their own_ _a Row_ _specializations_ _Gartner® Representative Vendor of Cloud-Workload Protection Platforms_ #### Trusted Security Authority Bitdefender is a proud technology alliance partner to major virtualization vendors, directly contributing to the development of secure ecosystems with **VMware, Nutanix, Citrix, Linux Foundation, Microsoft, AWS, and Pivotal.** Through its leading forensics team, Bitdefender is also actively engaged in countering international cybercrime together with major law enforcement agencies such as FBI and Europol, in initiatives such as NoMoreRansom and TechAccord, as well as the takedown of black markets such as Hansa. Starting in 2019, Bitdefender is also a proudly appointed CVE Numbering Authority in MITRE Partnership. **RECOGNIZED BY LEADING ANALYSTS AND INDEPENDENT TESTING ORGANIZATIONS** **TECHNOLOGY ALLIANCES** #### UNDER THE SIGN OF THE WOLF **Founded 2001, Romania** A trade of brilliance, data security is an industry where only the clearest view, sharpest mind and deepest insight can **Number of employees 1800+** win — a game with zero margin of error. Our job is to win every single time, one thousand times out of one thousand, and one million times out of one million. **Headquarters** Enterprise HQ – Santa Clara, CA, United States And we do. We outsmart the industry not only by having the clearest view, the sharpest mind and the deepest insight, Technology HQ – Bucharest, Romania but by staying one step ahead of everybody else, be they black hats or fellow security experts. The brilliance of our collective mind is like a luminous Dragon-Wolf on your side, powered by engineered intuition, created to guard against **WORLDWIDE OFFICES** all dangers hidden in the arcane intricacies of the digital realm. **USA & Canada: Ft. Lauderdale, FL | Santa Clara, CA | San Antonio, TX |** Toronto, CA This brilliance is our superpower and we put it at the core of all our game-changing products and solutions. **Europe: Copenhagen, DENMARK | Paris, FRANCE | München, GERMANY** | Milan, ITALY | Bucharest, Iasi, Cluj, Timisoara, ROMANIA | Barcelona, SPAIN | Dubai, UAE | London, UK | Hague, NETHERLANDS -----