The malware, which is signed with an Apple Developer ID, take screenshots at regular intervals, then dumps them into a folder called MacApp.
(Applebaum recently tweeted, however, "On the topic of the OS X backdoor that I found this week, Apple says: 'We have just revoked the appropriate Developer ID certificate.'")
The sample studied by F-Secure connects to two command and control servers, one in France and the other in the Netherlands.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
F-Secure, which is currently the only anti-virus provider to detect the malware, identifies it as Backdoor:OSX/KitM.A.