CCleaner 614 security issue - August 1 2023

[RgoELC]

Hello,

We just got an escalated ticket about a user who downloaded CCleaner on his system. This version of CCleaner is responsible for several questionable activities on the device, including but not limited to key logging, attempting to encypt credentials, deleting several files. See the details of the ticket below:

This is very concerning. Please investigate this with the highest priority.

[RgoELC]

Here is some more info about the activities CCleaner 614 performed on our system:

[hazelnut]

Please contact support directly about this as you must be a business user and are therefore entitled to priority support.

support@ccleaner.com

[RgoELC]

No business user. We don't use CCleaner. The user downloaded this without permission.

I will however send them an email anyway. Thx for the address.

Edited August 1, 2023 by RgoELC

[Bastet]

Free or Pro version?
I would also ask if they downloaded via the official website or via a questionable site which is offering the Pro (paid) version for free or much lower cost than officially advertised.

[RgoELC]

Free version. The user send me a link to the official website and told me he downloaded from there.

[nukecad]

Assuming that your employee has tried to install the official CCleaner (and not a dodgy repack from somewhere on the web) then I suspect that what you are seeing is normal behaviour when installing CCleaner an a home machine.
Support should be able to confirm that for you.

However it is probably not behaviour that would be expected, (or allowed), in a business network situation.
(There are business versions of CCleaner designed specifically for IT departments to deploy over their networks).

Presumably your employers are prohibited from installing their own apps on your business machines.

CCleaner home version does require elevated permissions. (Hence the 'skipUAC' option, which although created during install is normally switched off by default).
It does scan to see what CPU is running and it does scan for the Windows version in use, so that it knows what/where can safely be cleaned.
It does scan for other user accounts, an Admin user using CCleaner Pro can clear junk files from other user accounts.
It does scan for installed applications and drivers, it does that in order to know what the user may want to update.
It does scan for startup apps, and other scheduled tasks, so that it can put uneeded ones to 'sleep' if the user chooses.
It does contact various servers to get up-to-date information, such as new application versions or new driver versions.
etc, etc.

In short many of the actions that CCleaner does on install, and during use, are not exceptional for an application of the type.
Most home use AV/AM applications recognise CCleaner, they know what it is, what actions it takes, and that it's actions are not malware.

But if your business cyber security is not expecting CCleaner to be installed on a network endpoint, which it obviously wasn't, then those actions can look typical of what a malware might also do.
In those circumstances then most of those actions are are going to trigger your protection application's alarms if a person tries to install a CCleaner home version on your business networked environment.

Again, there is always the slight possibility that your employee has acquired an installerr for somewhere on the web that could have been tampered with and repacked.

EDIT- I see that your employee says that it was a download from the official site.

In which case malware can probably be ruled out and I'd suggest that it's almost certainly simply that your buisness cyber security is not recognising CCleaner home.
A case of 'user error', - trying to install something that they shouldn't have on a works computer.

[RgoELC]

@nukecad thank you for the detailed response. This could very well be what happened.

The PC has been reimaged, so there is no way to be sure now what package he downloaded. I can compare file hashes from the log if I have time, but for now the priority is off as the issue has been resolved.

I make sure to educate the users to not download Home-use appliances on their corporate devices.

Thank you all!

[nukecad]

Your first screeshot shows that the file hash was already checked at Virus Total and no problem found.

As would be expected with a genuine CCleaner installer.

[Bastet]

3 hours ago, RgoELC said:

Free version. The user send me a link to the official website and told me he downloaded from there.

Then there should be no malware.

[lmacri]

Hi RgoELC:

Thanks for posting those logs.

As nukecad noted <above>, many of those behaviours won't come as a big surprise to long-time CCleaner users (e.g., creation of the CCleaner Update task in Task Scheduler, configuration of CCleaner64.exe to evade UAC) but I'm very curious as to why ccsetup614.exe would need to monitor user keystrokes during installation.  I don't know if a keystroke logger could be used for the benefit of users with disabilities who use Windows "Ease of Access" assistive technologies during installation, but it sounds very odd that an installer would need to monitor keystrokes.

This is just one more reason why I now run the Portable build of CCleaner from a removable USB stick and will never install the "regular" edition of CCleaner on my hard drive again.  Fingers crossed that Avast / Piriform figures out how to prevent the Portable build from creating dozens of unnecessary registry entries (see Crni's 23-Jul-2023 post on page 5 of Wisewiz's Welcome Back to CCleaner Professional ???  about remote connections to shepherd.ff.avast.com) or I won't be using the Portable build much longer either.
------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3208 * Firefox v116.0.0 * Microsoft Defender v4.18.23050.9-1.1.23060.1005 * Malwarebytes Premium v4.5.33.272-1.0.2069 * Macrium Reflect Free v8.0.7279 * CCleaner Free Portable v6.14.10584

[nukecad]

It's the cyber security being cautions when faced with something unknown to it.
In this case it didn't know CCleaner or what it checks.

So it saw CCleaner looking to check what input devices a user had connected (so that it knows what logs may need to be cleaned) - that checking is also the kind of action that a keylogger might do.
As the security didn't know just what CCleaner is then to be cautious it would warn of a possible keylogger.

It's the nature of cyber security applications to classify activities broadly when outputing warnings to the user or logs.
They only have a limited number of option strings that they can output so they pick the nearest one to what they are seeing, to advise the user to look at that possibility.

It's a bit like the CCleaner error message saying ' It seems like you are offline' when in fact you are online and it's a server connection that is the problem, CCleaner has just picked it's closest message to display.