Modernizing Authentication — What It Takes to Transform Secure Access
The malware, which is signed with an Apple Developer ID, take screenshots at regular intervals, then dumps them into a folder called MacApp.
(Applebaum recently tweeted, however, "On the topic of the OS X backdoor that I found this week, Apple says: 'We have just revoked the appropriate Developer ID certificate.'")
The sample studied by F-Secure connects to two command and control servers, one in France and the other in the Netherlands.
F-Secure, which is currently the only anti-virus provider to detect the malware, identifies it as Backdoor:OSX/KitM.A.