The notorious APT group continues to play the video game industry with yet another backdoor

In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games. Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.

In at least one case, the malware operators compromised a victims build system, which could have led to a supply-chain attack, allowing the attackers to trojanize game executables. In another case, the game servers were compromised, which could have allowed the attackers to, for example, manipulate in-game currencies for financial gain.

The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the software industry, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group targeting several Hong Kong universities with ShadowPad and Winnti malware.

About the Winnti Group naming:

We have chosen to keep the name Winnti Group since its the name first used to identify it, in 2013, by Kaspersky. Since Winnti is also a malware family, we always write Winnti Group when we refer to the malefactors behind the attacks. Since 2013, it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group.

Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the C&C domains used by PipeMon were used by Winnti malware in previous campaigns mentioned in our white paper on the Winnti Group arsenal. Besides, Winnti malware was also found in 2019 at some of the companies that were later compromised with PipeMon.

In addition to Winnti malware, a custom AceHash (a credential harvester) binary found at other victims of the Winnti Group, and signed with a well-known stolen certificate used by the group (Wemade IO), was also used during this campaign.

The certificate used to sign the PipeMon installer, modules and additional tools is linked to a video game company that was compromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.

Interestingly, PipeMon modules are installed in %SYSTEM32%spoolprtprocsx64; this path was also used in the past to drop the second stage of the trojanized CCleaner.

Additionally, compromising a software developers build environment to subsequently compromise legitimate application is a known modus operandi of the Winnti Group.

Companies targeted in this campaign are video game developers, producing MMO games and based in South Korea and Taiwan. In at least one case, the attackers were able to compromise the companys build orchestration server, allowing them to take control of the automated build systems. This could have allowed the attackers to include arbitrary code of their choice in the video game executables.

ESET contacted the affected companies and provided the necessary information to remediate the compromise.

Two different variants of PipeMon were found at the targeted companies. Only for the more recent variant were we able to identify the first stage which is responsible for installing and persisting PipeMon.

PipeMons first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. The launcher writes the RARSFX to setup0.exe in a directory named with a randomly generated, eight-character, ASCII string located in the directory returned by GetTempPath. Once written to disk, the RARSFX is executed with CreateProcess by providing the decryption password in an argument, as follows:

setup0.exe -p*|T/PMR{|T2^LWJ*

Note that the password is different with each sample.

The content of the RARSFX is then extracted into %TMP%RarSFX0 and consists of the following files:

Note that in the event of a folder name collision, the number at the end of the RarSFX0 string is incremented until a collision is avoided. Further, not all these files are necessarily present in the archive, depending on the installer.

Once extracted, setup.exe is executed without arguments. Its sole purpose is to load setup.dll using LoadLibraryA. Once loaded, setup.dll checks whether an argument in the format x:n (where n is an integer) was provided; the mode of operation will be different depending on the presence of n. Supported arguments and their corresponding behavior are shown in Table 1. setup.exe is executed without arguments by the RARSFX, and checks whether its running with elevated privileges. If not, it will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build 7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of:

depending on the variant. Note that we werent able to retrieve samples related to Interactive.dll.

Table 1. setup.exe supported arguments and their corresponding behavior.

This loader is stored encrypted within setup.dll, which will decrypt it before writing it to the aforementioned location.

The location where the malicious DLL is dropped was not chosen randomly. This is the path where Windows Print Processors are located and setup.dll registers the malicious DLL loader as an alternative Print Processor by setting one of the following registry values:

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsPrintFiiterPipelineSvcDriver = DEment.dll

or

HKLMSYSTEMCurrentControlSetControlPrintEnvironmentsWindows x64Print Processorslltdsvc1Driver = EntAppsvc.dll

depending on the variant. Note the typo in PrintFiiterPipelineSvc (which has no impact on the Print Processor installation since any name can be used).

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.

This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.

Additionally, the encrypted payload, CrLnc.dat, extracted from the RARSFX is written to the registry at the following location, depending on the installer:

This encrypted registry payload is then loaded, decrypted and executed by the previously registered Print Processor library. The whole PipeMon staging and persistence is shown in Figure 1.

Figure 1. PipeMon staging and persistence

We named this new implant PipeMon because it uses multiple named pipes for inter-module communication and according to its PDB path, the name of the Visual Studio project used by its developer is Monitor.

As mentioned previously, two different PipeMon variants were found. Considering the first variant, we couldnt retrieve the installer; thus, we dont know for sure the persistence technique that was used. But considering that this first variant of PipeMon was also located in the Print Processor directory, its likely that the same persistence mechanism was used.

PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is located in the Print Processors directory. The modules are stored encrypted on disk at the same location with inoffensive-looking names such as:

Note that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea.

The modules are RC4 encrypted and the decryption key Com!123Qasdz is hardcoded into each module. Win32CmDll.dll decrypts and injects the ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting and injecting the Communication module, while the GuardClient module will ensure that the Communication module is running and reload it if necessary. An overview of how PipeMon operates is shown in Figure 2.

Win32CmDll.dll first tries to inject the ManagerMain and GuardClient modules into a process with one of the following names: lsass.exe, wininit.exe or lsm.exe. If that fails, it tries to inject into one of the registered windows services processes, excluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky) or dllhost.exe. As a last option, if everything else failed, it tries to use the processes taskhost.exe, taskhostw.exe or explorer.exe.

The process candidates for Communication module injection must be in the TCP connection table with either 0.0.0.0 as the local address, or an ESTABLISHED connection and owning a LOCAL SERVICE token. These conditions are likely used to hide the Communication module into a process that is already communicating over the network so that the traffic from the Communication module would seem inconspicuous and possibly also whitelisted in the firewall. If no process meets the previous requirements, the ManagerMain module tries to inject the Communication module into explorer.exe. Processes belonging to the Windows Store Apps and processes named egui.exe (ESET) and avpui.exe (Kaspersky) are ignored from the selection.

Table 2. PipeMon module descriptions and their respective PDB paths

Additional modules can be loaded on-demand using dedicated commands (see below), but unfortunately, we werent able to discover any of them. The names of these modules are an educated guess based on the named pipes used to communicate with them:

Inter-module communication is performed via named pipes, using two named pipes per communication channel between each individual module, one for sending and one for receiving. Table 3 lists the communication channels and their corresponding named pipes.

Table 3. PipeMon communication channel and their respective named pipes

The %CNC_DEFINED% string is received from the C&C server and %B64_TIMESTAMP% variables are base64-encoded timestamps such as the ones shown in Table 4.

Table 4. Example timestamps used with named pipes

Figure 2. PipeMon IPC scheme (original PipeMon variant)

The Communication module is responsible for managing communications between the C&C server and the other modules via named pipes, similar to the PortReuse backdoor documented in our white paper on the Winnti arsenal.

Its C&C address is hardcoded in the ManagerMain module and encrypted using RC4 with the hardcoded key Com!123Qasdz. It is sent to the Communication module through a named pipe.

A separate communication channel is created for each installed module. The communication protocol used is TLS over TCP. The communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If the size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlibs Deflate implementation.

struct CCMSG{ BYTE is_compressed; CMD cmd;};struct CMD{ QWORD cmd_type; DWORD cmd_size; DWORD cmd_arg; BYTE data[cmd_size - 16];};

struct CCMSG

{

BYTE is_compressed;

CMD cmd;

};

struct CMD

{

QWORD cmd_type;

DWORD cmd_size;

DWORD cmd_arg;

BYTE data[cmd_size - 16];

};

struct beacon_msg{ BYTE isCompressed = 0; CMD cmd_hdr; WCHAR win_version[128]; WCHAR adapters_addrs[128]; WCHAR adapters_addrs[64]; WCHAR local_addr[64]; WCHAR malware_version[64]; WCHAR computer_name[64];}

struct beacon_msg

{

BYTE isCompressed = 0;

CMD cmd_hdr;

WCHAR win_version[128];

WCHAR adapters_addrs[128];

WCHAR adapters_addrs[64];

WCHAR local_addr[64];

WCHAR malware_version[64];

WCHAR computer_name[64];

}

Figure 3. C&C message and beacon formats

To initiate communication with the C&C server, a beacon message is first sent that contains the following information:

The information about the victims machine is collected by the ManagerMain module and sent to the Communication module via the named pipe. The backdoor version is hardcoded in the Communication module in cleartext.

The format of the beacon message is shown in Figure 3 and the supported commands are shown in Table 5.

Table 5. List of commands

* The argument supplied for this command type is ignored

As mentioned earlier, the attackers also use an updated version of PipeMon for which we were able to retrieve the first stage described above. While exhibiting an architecture highly similar to the original variant, its code was likely rewritten from scratch.

The RC4 code used to decrypt the modules and strings was replaced by a simple XOR with 0x75E8EEAF as the key and all the hardcoded strings were removed. The named pipes used for inter-module communication are now named using random values instead of explicit names and conform to the format\.pipe%rand%, where %rand% is a pseudorandomly generated string of 31 characters containing only mixed case alphabetic characters.

Here, only the main loader (i.e. the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6.

Table 6. Updated modules

Module injection is not performed using the reflective loading technique with an export function anymore; custom loader shellcode is used instead and is injected along with the module to be loaded.

The C&C message format was changed as well, and is shown in Figure 4.

struct CCMSG{ BYTE is_compressed; CMD cmd;};struct CMD{ QWORD cmd_type; DWORD cmd_size; DWORD cmd_arg; BYTE data[cmd_size - 16];};

struct CCMSG

{

BYTE is_compressed;

CMD cmd;

};

struct CMD

{

QWORD cmd_type;

DWORD cmd_size;

The rest is here:
No Game over for the Winnti Group - We Live Security

Are you looking for a house renovation? Or need to makethe outlook more impressive? Then you should replace the window at home with anew and modernized pair. A new window can keep your place warm, protected, andincrease the value of the property.

While investment in the window is a crucial decision andit took time to review to find the best option. Before getting into the newwindow you should know, how much does it cost to replace windows? And much more. here are some reasons that show why youneed window replacement:

The most important aspect that leads to change in thewindow is to increase the value of a home. Is it something that offers theupdate to change the old style with a new one. whenever it comes to give avalue addition modification to your place window is a perfect choice amongothers. Before fixing the new window it is necessary to check the size, colorscheme, and fitting.

No matter what kind of weather is outside, the windowhelps to keep the internal temperature control. In cold it helps to warm insideand in summer it helps to restrict the heat from entering the home. Moreover,it significantly reduces the cost of cooling and heating by saving more than30%. So, a fine quality window with the right insulation is an energy-efficientdecision.

With the window, it is easy to protect the householdthings from environmental contact. More it helps to reduce the moisture, heat,and restrict other factors that do not affect the internal temperature andatmosphere of the house. It also restricts the entrance of microbes, dust, insects,and mosquitoes to enter the house and enhance theprotection.

If we consider the security, the window is best atproviding security. Like it helps to enter sunlight in the house but restrictsthe unauthorized entrance. The window offers security and privacy together.Like in the market multiple window options are available that even block thenoisy voices. More you can install the one that enhances privacy and not allowthe outsiders to intervene in the private space.

Here is another possibility that leads to replacing theold window with the new one. if due to environmental influence or storm yourwindow is damaged and needs a fix. You can check the repair cost andreplacement cost and if window repair cost is almost the same as thereplacement one, then change is better. It offers a way to put some latestdesign with more sustainable fitting and protective measures that helps toavoid damage in the future.

Renovation is always an impressive decision that offersexciting opportunities to experience changes. You can modify your place withjust a small modification. For window replacement you have to search the bestoption in material and compare the cost as well, to find the appropriateoption.

Read the original:
Why Do You Need Window Replacement at Home? - IMC Grupo

"Only the rich can afford poor windows," says Joe Koken, general manager of Renewal by Andersen of Arizona. Koken was quoting Hans Andersen, founder of Andersen Windows in 1903. Renewal by Andersen is the full-service replacement window division of Andersen Windows, and this month it's celebrating its 25th anniversary with the biggest discount ever offered to new customers.

"You can replace your windows and doors once with a highly engineered product and likely never have to do it again, or you can replace them several times with a low-end product and end up paying more in the long run," Koken says.

The quality of the Renewal by Andersen window starts with its Fibrex composite material.

"There is a misconception that vinyl is a good choice for windows, but we won't even sell a vinyl window," Koken says. "Our exclusive window material, called Fibrex, is a composite that's two times stronger than vinyl."

Andersen researched and developed its Fibrex material for 30 years before it was installed in even one home. Fibrex is a wood-and-polymer composite that expands and contracts very little and is warranted not to warp, peel or corrode.*

"Fibrex has the strength, durability and beauty of wood windows combined with the low maintenance aspects of vinyl," Koken says.*

When choosing a replacement window or door company, there are five questions you should ask:

1. What does the warranty cover and how long does it last?

Many replacement window companies will warrant their windows and doors but not their installations. And a lot of them claim to have a "lifetime" warranty but in the fine print, "lifetime" can be defined as just seven years.

Renewal by Andersen has one rock-solid triple warranty that covers its windows, doors and installation. If you have any issues that come up, you won't be chasing down the manufacturer and the installer you just have to make one call.

2. What are the windows made of, and can they withstand the weather where you live?

Many vinyl replacement windows can warp, leak and cause drafts in just a few years. Renewal by Andersen's Fibrex material is vastly superior to vinyl. It's two times stronger than vinyl and infinitely more beautiful.

3. How will the company's windows or doors make your home more comfortable?

Many replacement windows will make your home more comfortable at first, but when their seals break and their energy efficiency is lost, you could be back to feeling too hot or cold in no time. Renewal by Andersen's High-Performance Low E-4 SmartSun glass helps to make homes more comfortable in every season.

4. How do you know if you're getting a good price?

If the price on a vinyl window is so low that it seems too good to be true, it probably is. In addition, if you have to replace those vinyl windows in 7-10 years, then they weren't worth it, no matter how inexpensive they were. Renewal by Andersen builds a window that will last. Nobody wants to replace their windows more than once.

5. How much will the windows or doors cost?

Many replacement window companies will give you a window estimate, but then the final bill ends up being more than the original quote. As part of its free in-home or virtual appointment, Renewal by Andersen provides an exact, down-to-the-penny price quote often within 48 hours of your call, and the quote is good for a whole year.

Renewal by Andersen is committed to keeping customers happy and safe. As Koken says, "The health and safety of our customers and our staff is our highest priority. We're adhering to the CDC's strict guidelines including wearing protective gloves and masks, maintaining a respectful distance inside your home, and frequently sanitizing our trucks and tools.

"And if you're not comfortable having us in your home at this time, we now offer virtual appointments, too," Koken adds. "From the comfort and safety of your home, you can have an online meeting with one of our project managers to discuss your window and door needs and get an exact price quote that we'll honor for a whole year.

"We also understand that this is a challenging time for some homeowners, and we want to do what we can to help them get their project done," Koken says. "So, we're having a special 'Thank You for 25 Years Sale.' Now until May 31, we're taking 25 percent off of all our windows and doors. And with our special financing, you won't pay anything for 25 months."

Call 480-565-4505 now to get Renewal by Andersen's biggest new customer discount ever!

* See Renewal by Andersen Products and Installation Transferable Limited Warranty for details.

Read more:
Why Now Is A Great Time To Replace Your Windows And Doors - Patch.com

Help support our COVID-19 coverage

We're providing access to COVID-19 articles for free. Please help support our work by subscribing or signing up for an account. Already a subscriber? Log in.

Jean Carton, left, and the Rev. Stephen Engelbrecht, pastor at St. Anthonys Church in Atkinson, are shown in front of one of the windows included in the restoration project of all stained glass windows at the church. The window depicting The Resurrection in the photograph was donated by the ladies in the Altar and Rosary Society when the church was built in 1917. Now, 103 years later, the ladies in the current Altar & Rosary Society donated the funds to restore and re-install that same window.

ATKINSON An upcoming annual spring raffle is expected to raise the remainder of the funds needed to pay for the restoration of the original stained glass windows at St. Anthonys Church in Atkinson.

The 11th annual raffle drawing will be held a 12:30 p.m. Sunday, June 7, at the Parish Hall, across from the church at 204 West Main St. The brunch that is included with the drawing each year will be held at a later date.

Nick Simon, chairman of the raffle and a deacon at the church, said more than $20,000 in prizes will be awarded, including a grand cash prize of $10,000.

Only 500 tickets will be sold and the odds of winning a cash prize are one in 39, Simon said.

The price of a raffle ticket is $100 which includes two tickets for the brunch when it is held at a later date. Tickets are available from church members, at businesses in Atkinson, and from the church office by calling 309-936-7900 and leaving a message.

Proceeds from the raffle will be applied to the Stained Glass Window Restoration and Protection project for the 103-year-old windows at the parish.

Simon said the proceeds from the spring raffle should complete paying for the project which is estimated to cost $200,000 and includes restoration of the 26 stained glass windows and the protection system, which was done to all windows in the building. He said there are 68 stained glass windows in the church.

Follow this link:
Raffle will help restore stained glass windows in Atkinson church - Quad City Times

MOUNT VERNON Offering a chronology of Knox County Information Technology Department tasks completed since he became county IT director in 2019, Kyle Webb provided a thorough report of those accomplishments to Knox County commissioners during their regular meeting Tuesday.

Over the past eight months, Webb wrote, the county has progressed from a managed IT services model, with two IT employees under contract from Info-Link Technologies, to an IT department with four full-time employees. At the beginning of this month, May 1, an agreement the county has with Info-Link was initiated, with both of its on-site staff hired on with the county full-time.

Webb said when he started his job as IT director, just two InfoLink staff members were barely able to keep up with day-to-day county IT issues, let alone any ongoing projects. Now the IT department has a staff with Webb as director; Shawn Conkle, network administrator; Trevor Ditmars, system administrator; and Andrew Champlin, IT communications coordinator, who recently helped launch a county Twitter page and reactive a dormant Facebook page. Champlin is the departments newest member.

The varied backgrounds of our team create a very well-rounded and robust department that can respond to any situation or challenge we may face, Webb offered.

The ability to take on significant projects was needed early in the year with two January deadlines looming, the first Jan. 14. After he started as IT director in September, his team was given about three months to organize more than 100 devices running on Windows 7 and upgrade them to Windows 10. The project included end of life for two Windows servers with 2008 dates.

This end of life meant there were no more security updates for Windows 7 and Server 2008, which would leave the county network extremely vulnerable to viruses and hackers, he said.

The upgrade involved replacing 64 of the countys outdated computers, and upgrading 53 more to Windows 10. The upgrade happened over 90 days and involved an ongoing shortage of computer components, so Webb said he contacted Dell Technologies about securing a government account representative who provided significant cost savings over a third-party vendor. The county IT department met its Jan. 14 goals in switching over to Windows 10 for all but a few computers, he noted.

Another monumental time-sensitive project was an upcoming State of Ohio Election Security overhaul carrying a mandated Jan. 31 deadline. Required was complete replacement of all Knox County Board of Elections (BOE) computers and networking equipment to meet incredibly high-security standards, he said. The BOE completed its due diligence by seeking state-approved vendors to bid on the project.

After reviewing several proposals, it was abundantly clear that if our in-house IT department handled the project, we would save the county thousands of dollars and create a much better, more secure computer network, Webb emphasized. He added that the Jan. 31 deadline was met and saved the county tens of thousands of dollars.

Some of the other projects Webb said the IT department has completed since September 2019 include:

Upgrading the Knox County Sheriffs Office and county 911 terminal servers.

Replacing three physical servers.

Taking over control of and updating the Knox County website and social media.

Taking over control of and updating the Knox County phone system.

Implemented new Network-Attached Storage (NAS) for the county Public Defenders Office.

Redesigned and rebuilt sheriffs office computer backup infrastructure

Implemented a COVID-19 remote workforce network.

Ongoing IT department projects include handling the Computer-Aided Dispatch upgrade for the Knox County 911 system, with a July go live target date, Webb said. Other current projects involve bond kiosk installation in the sheriffs office lobby; four server replacements for the 911 dispatch center; three server replacements for county offices; and one server replacement each for the sheriffs office and county water-wastewater department. New mobile data terminals are also being installed on sheriffs office cruisers.

Future goals include a new help desk ticketing system by August of this year; all new servers to be installed by August; rewiring all network closets by the end of the year; and full implementation of a disaster preparedness plan for critical systems with quarterly testing. There is also a goal of more social media outreach including videos and podcasts.

In the last eight months, the Knox County IT department has handled more IT projects than most organizations experience in two years, Webb offered. We still have a lot more to accomplish to get our systems to peak efficiency, but I am extremely happy with our progress so far.

Do your part to support local journalismSubscribe to our e-edition to read this and many other articles written by your neighbors.

Already a subscriber? Log in

Larry Di Giovanni: 740-397-5333 or larry@mountvernonnews.com and on Twitter, @mountvernonnews

The rest is here:
County IT meets goals, ready to move on more - Mount Vernon News

One tool that bad guys use to go after your web servers is a web shell. A web shell is a malicious script that masquerades as a legitimate file and provides a backdoor into your server. Recent guidance from the US National Security Agency (NSA) and the Australian Signals Directorate (ASD) offers techniques to detect and prevent web shell malware from affecting web servers. The NSA document describes web shell malware as a long-standing, pervasive threat that continues to evade many security tools.

Detection may be difficult. Web shells target existing applications and files. Because they mimic proper files on your system, its often difficult to determine that an attack has occurred. Heres how to best detect and prevent web shell attacks on a Windows network.

Begin by comparing the files on the machine to known good files. Compare date and time stamps and especially SHA-2 hash values. You can also use Windiff to compare to files to determine if the attacker has replaced them with similar ones.

Originally posted here:
9 tips to detect and prevent web shell attacks on Windows networks - CSO Online

If you were wondering whether Huawei would be able to regain its Android license, that chance was has just been thrown out that window for another year. On Wednesday, President Trump has extended an executive order that called for a National Emergency to secure information and telecom services from threats, including Huawei.

The first executive order, enacted back in May of last year, barred Huawei from conducting business with any business firm based in the US. This includes Google for Huaweis Android services, and this will only further push Huawei into creating its own app ecosystem that doesnt rely on Google Services. This will also continue to hinder sales of its smartphones in Western markets, where lack of Google Services can be a deal-breaker for many consumers.

Back in March, Huawei announced that its HMS (Huawei Mobile Services) replacement for Google Play Services has reached 400 million active users, and has 1.3 million developers on board. Although there are many alternatives to Googles core apps like Gmail and Maps, they only substitute the real thing though it is possible to live with HMS.

In any case, Huawei remains barred from its official Android license, so we only anticipate Huawei will continue to build its ecosystem without Google and we can expect more rumors of Huaweis planned replacement for Android called Harmony OS.

Source

Continue reading here:
Huawei remains banned from doing business with US companies for another year - GSMArena.com news - GSMArena.com

A 16-storey apartment building will replace what used to be the old villa that housed Bar Dada in the Bllok area of Tirana, until its demolition in February.

The construction permit for this apartment building, that will be called City Hotel, was given by the National Territorial Council (KKT), headed by Prime Minister Edi Rama, to entrepreneur Agim Zeqo in October 2019.

The building is being constructed by Nova Construction 2012, owned by Ilir and Kujtim Shtufi.

The project is designed by the Italian architect Marco Casamontis studio, Archea Associati, the same architect that designed Tiranas stadium building. Casamonti is known for being close to the Prime Minister.

The apartment building is expected to have 4 underground floors, and 12 above ground ones. The project plan seems to indicate a style similar to that of the Forever Green building in Tirana, whose construction has been ongoing for the past 10 years. This building was also designed by Casamonti. Both building designs stand out for their irregular window placement and terrace gardens.

The City Hotel building will be a multifunctional one, combining residential and office spaces.

Construction is expected to take 4 years.

Currently three more high-rise buildings are being built in the Bllok areas narrow alleys. A 13-storey building will replace the former villa that housed the private Metropolitan University. A multifunctional complex called Blloku Cube and designed by Stefano Boeri is being constructed a few meters away. Another of Boeris projects, West Residence, is being built in the area behind the Presidents Office.

Meanwhile, throughout Tirana, the municipality has granted construction permits for the construction of high rise buildings along the capitals main streets and squares.

At least 12 high-rise buildings, with an average height of 12-storeys, are currently being constructed.

Fjal kye: Albania, Edi Rama, Erion Veliaj, Marco Casamonti, Tirana, Tirana Municipality

Original post:
Another High Rise Building to Replace Historic Villa in Tirana - Exit - Explain Albania

Two shops and four flats along the London Road in High Wycombe could be bulldozed and replaced with a more modern building.

Developers want to demolish the buildings at 464 to 476 London Road which is currently four flats, a convenience store and a shop selling windows and replace it with a much more modern looking three storey block.

The new block will still have two slightly bigger retail units along the ground floor but the number of flats above will be doubled to eight.

ALSO READ:Brunel Engine Shed High Wycombe: Developers reveal details

Mirage Developments, who have put the plans forward to Buckinghamshire Councils planning officers, say the current building is in a poor state of repair and has structural issues.

If their new plans are given the green light, there will be four one-bed flats and four 2-bed flats, with access to them from the rear of the building. All flats will have a balcony and there will be a cycle store for 10 bikes.

There will also be 14 parking spaces at the back 11 for the eight flats and three for the shops.

A highways consultant says residents living in the new development will be in a good position to be able to visit shops without having to rely on cars, as it is right next door to Tesco Express and a few minutes away from the retail park.

ALSO READ:Monsoon and Accessorize units in Eden Shopping Centre to become Cte Brasserie

Buckinghamshire Council officers have until August 12 to decide whether to let the overhaul go ahead.

View the full details online at http://www.wycombe.gov.uk/pages/Planning-and-building-control/Planning-applications/Find-a-planning-application.aspx and search 20/05993/OUT.

Read more here:
Shops and flats in 'poor state of repair' could be bulldozed and replaced - Buckinhamshire Free Press

The ex-Reds star feels interest in the prolific RB Leipzig striker is purely down to Jurgen Klopp looking to add greater depth to his squad at Anfield

Liverpool are not looking for Timo Werner to replace anyone at Anfield, says John Barnes, with Jurgen Klopp considered to be looking to bring in competition for Mohamed Salah, Sadio Mane and Roberto Firmino.

Talk of the Reds launching a big-money raid on RB Leipzig for the prolific Germany international striker has been stepped up ahead of the next transfer window.

Werner is seen by many as the perfect fit for Klopps system, with the 24-year-old boasting both end product and willingness to work hard for the good of a collective cause.

It has, however, also been suggested that another option will be sought by Liverpool in the final third as interest is building in those already on their books.

La Liga giants Real Madrid and Barcelona have been sniffing around Salah and Mane for some time, but Barnes is not expecting sales to be sanctioned on Merseyside.

He told BonusCodeBets of the Werner rumours: Hes not going to replace anyone.

Hes coming to be part of the squad, I dont think Klopps going to drop any of the front three for him.

Of course, I dont know if that is what may necessarily happen. If Salah, Mane or Firmino goes, we dont know, so I dont think hes coming in to replace anyone, hes coming to be part of a squad.

Pressed further on whether he could see any member of a fearsome front three moving on in 2020, former Reds midfielder Barnes added: Every player, regardless of who you are, can go at any moment.

I dont think theyre preparing for any of the front three to leave. If you can get a player of Werners quality to come in and one of the front three doesnt leave, its fine, they have a stronger squad.

I dont think theyre going to lose any of the front three, but in modern football, you can never tell.

If you get a chance to get a player who can fit into what you want, you should do it.

Article continues below

I dont think hes going to cost hundreds of millions or his salary will be that high and it wont be the case where he has to play every single game because hes going to cost 100m and hes being paid 300k a week.

This is also what hes [Klopp] looking for, players that will come and be happy to be there and not demand to play every week, theyre not superstars like a [Cristiano] Ronaldo or a [Lionel] Messi.

Werner has left the door open for a move to Liverpool to be made, as he readies himself for a new challenge, but the Reds are not the only side monitoring his situation and may face competition when the next market opens for business.

See the article here:
Liverpool not looking for Werner to replace anyone Barnes expects Salah, Mane & Firmino to stay put - Goal