This malware appears to be quite harmless, so far, it takes screenshots and stores them in a folder on your Mac. The malware, named OSX/KitM.A connects with two command & control servers which are currently not operational. Wether these servers have been operational in the past or will be in the future is unknown but if they are it probably offers OSX/KitM.A a way to upload all the taken screenshots and may enable it to receive commands to perform other tasks. At the time of writing Kaspersky, PCTools, Symantec, Trend Micro and F-Secure have the signature in their malware database so if you use one of these products and happen to be/become infected with OSX/KitM.A, they should be able to handle the malware for you. The number of antivirus companies that now detects the signature is growing fast as it went from just two to now five in just 4 hours.
As OSX/KitM.A has only been spotted in the wild once and appears to have been the result of a spear-phishing attact, the chances of you becoming infected is small but never the less check your startup items list (System Preferences > Users & Groups > Login Items) for an application called ‘macs’. If it is present, right-click on it and select “Show in finder” then delete the app and remove it from the login items list. If you use little snitch keep an eye out for connection requests to “securitytable.org” and “docsforum.info” or their IP addresses which are “184.108.40.206” and “220.127.116.11”.
The macs application appears to have been signed with a valid Apple Developer ID so OS X’s built-in security Gatekeeper does not flag the application and allows it to launch. XProtect, another OS X security feature, is so far unaware of the malware. With OS X’s defenses not being able to handle this malware right now i recommend performing the visual check as described above and installing an antivirus application that can keep an eye on things for you. Free applications like Sophos and Avast have done really well in the tests i have recently performed (results online soon) scoring great with their detection rates and these are two companies that are usually very fast with adding new signatures to their database so i expect them to be able to detect OSX/KitM.A soon.
Update: Different variants of this malware are being found so this story may be updated again in the future. The malware may be contained in a file called ‘DSC001254_160413.zip’ and though the command & control servers mentioned earlier do not work, different variants of the malware may use different C&C servers. Intego now also protects against this malware and calls it a variant of OSX/FileSteal.