Full Report
Cybersecurity researchers have discovered a malicious Google Chrome extension that's designed to steal data associated with Meta Business Suite and Facebook Business Manager. The extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is marketed as a way to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes.
Analysis Summary
# Tool/Technique: CL Suite (Malicious Chrome Extension)
## Overview
CL Suite is a malicious Google Chrome extension masquerading as a productivity tool for Meta Business Suite and Facebook Business Manager. While it claims to offer data scraping, popup removal, and 2FA generation features locally, it is designed to exfiltrate sensitive authentication seeds (TOTP), contact lists, and business analytics to threat actor-controlled infrastructure.
## Technical Details
- **Type:** Malicious Browser Extension / Infostealer
- **Platform:** Google Chrome (Web Browser) targeting Meta/Facebook Business users.
- **Capabilities:** Credential theft (TOTP seeds), data exfiltration (CSV exports), and security control bypass (popup suppression).
- **First Seen:** Uploaded to Chrome Web Store on March 1, 2025.
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- [T1539 - Steal Web Session Cookie]
- [T1555.004 - Multi-Factor Authentication Tokens]
- **[TA0009 - Collection]**
- [T1119 - Automated Collection]
- [T1185 - Browser Session Hijacking]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- [T1567.002 - Exfiltration to Cloud Repository (Telegram)]
## Functionality
### Core Capabilities
- **TOTP Seed Theft:** Steals the unique alphanumeric seeds used to generate time-based 2FA codes, allowing attackers to bypass multi-factor authentication.
- **Data Scraping:** Automatically builds CSV files of the "People" view within Meta Business Manager, capturing names, emails, roles, and status details.
- **Entity Enumeration:** Maps Business Manager-level entities, including linked ad accounts, connected pages, and billing/payment configurations.
### Advanced Features
- **Security Suppression:** Removes and suppresses verification pop-ups within the Meta interface to allow for seamless data scraping without alerting the user.
- **Dual Exfiltration Channels:** Transparently sends payloads to a backend server and can optionally forward data to a dedicated Telegram channel for real-time monitoring by the attacker.
## Indicators of Compromise
- **Extension IDs:**
- `jkphinfhmfkckkcnifhjiplhfoiefffl` (CL Suite)
- `ceibjdigmfbbgcpkkdpmjokkokklodmc` (VK Styles - Related Campaign)
- **Domain Indicators:**
- `getauth[.]pro`
- `facebook[.]com` (Abused for data scraping)
- `meta[.]com` (Abused for data scraping)
- **Behavioral Indicators:**
- Unexplained CSV exports of contact or business data.
- Automatic generation of 2FA codes within a browser extension.
- Suppression of standard Facebook/Meta security prompts.
## Associated Threat Actors
- **@CLMasters:** The developer/group identified as the publisher of the CL Suite extension.
- **2vk:** A threat actor (GitHub username) associated with the related "VK Styles" malicious extension campaign.
## Detection Methods
- **Signature-based detection:** Scanning extension directories for the specific Extension IDs mentioned above.
- **Behavioral detection:** Monitoring for unauthorized network calls from browser extensions to unknown third-party domains (e.g., `getauth[.]pro`).
- **Audit Logs:** Checking Meta Business Suite logs for unusual administrative data exports (People/Analytics CSVs) from unexpected user agents.
## Mitigation Strategies
- **Prevention measures:** Implement a discovery policy for browser extensions and restrict installations to an enterprise-approved allowlist.
- **Hardening recommendations:** Use hardware-based security keys (FIDO2/WebAuthn) instead of TOTP seeds, as hardware keys are more resilient to extension-based theft.
- **Incident Response:** If the extension is found, rotate all TOTP seeds and audit Facebook Business Manager permissions for any unauthorized additions.
## Related Tools/Techniques
- **VK Styles:** A related campaign of malicious customization extensions (approx. 500k users) used to hijack VKontakte accounts.
- **Infostealers:** Often used in tandem to provide the initial account password before the extension provides the 2FA bypass.