It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.
OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online.
It's thought to be the work of the APT28 cybercrime group, according to Bitdefender. Xagent is capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac. The best way to avoid falling fowl to such an attempt in the future is not to respond to emails that require you to enter a password or install anything. OSX/Dok was targeting OS X users via an email phishing campaign.
The attacker could gain access to all victim communication by redirecting traffic through a malicious proxy server, there's more information about how the attack worked here. Apple has since revoked that developer certificate and updated XProtect, it’s malware signature system. Because the malware had a certificate, macOS’s Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. It is likely that the hackers accessed a legitimate developers’ account and used that certificate. OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint’s blog post. The macOS Trojan horse appeared to be able to bypass Apple’s protections and could hijack all traffic entering and leaving a Mac without a user’s knowledge - even traffic on SSL-TLS encrypted connections. Security analysis firm CheckPoint Software Technologies spotted a new OS X malware at the end of April 2017.