Replacing coreutils used to be a semi-common persistence strategy on Linux, you either swapped out the actual tools or a common library with one that had a hook to start up your RAT or whatever other malicious payload. It had the advantage of almost certainly getting it started very quickly after boot without necessarily leaving anything in an "obvious" place (e.g. cron, profile scripts, etc). I haven't seen this in a while, I would guess the increasing use of antivirus/rootkit detection (these things would be pretty easy to signature) and auditing package managers are both factors.

Actually, last time I saw it the cracker (really a script) had replaced a couple of libraries with 32 bit versions on a 64 bit machine, which lead to most of the coreutils no longer working. Very subtle. 64-bit machines were becoming common by that point but maybe not so much on Linux servers, but still it was a clear sign of low effort!

Back in my younger days I wrote a few such patches. Not a lot of people use tripwire anymore!

The old tripwire makes less sense in a world of cloudwalking cattle. Ephemeral containers and VMs everywhere. Machines go up, they go down.

Some of my containers run for weeks between deploys, I’d like to know what changes in ‘em just as much as thay oldskool iaas db server marketing uses ;)