Okay that is legitimately sick:

LinkPro modifies the /etc/ld.so.preload configuration file to specify the path of the libld.so shared library that it embeds, with the goal of hiding various artifacts that could reveal the backdoor's presence.

Once libld.so is loaded at the execution of a program, for example /usr/bin/ls, it hooks (before glibc) several libc functions to modify results that could reveal the presence of LinkPro. Here is the observed behavior for the hooked functions:

• fopen and fopen64: if the process tries to open /proc/net/tcp, /proc/net/tcp6, /proc/net/udp, or /proc/net/udp6. These files provide information on active TCP/UDP connections. If so, the real fopen function is executed. Then, the malicious library retrieves the content of these files and removes LinkPro's network traces. Indeed, any line containing port 2233 (LinkPro's listening port) as a source or destination is deleted. Finally, if the process tries to open a file named ld.so.preload, a "No Such File Or Directory" error is returned.

Modifying LD_PRELOAD is a well-known TTP (T1574.006). However, most detections will be about the environment variable, not the .so files themselves being mutated. Of course, this all requires root to accomplish, but this kind of stealthy persistence is exactly what basic detection tools will miss.