I shut down the VM and used a live ISO to take a look at the filesystem. You were correct - there is an /etc/ld.so.preload which points to /lib/libgcwrap.so. There is also a /usr/lib/libgcwrap.so copy.
These files were marked as immutable and were not visible from the booted system. I took a look at the cron configurations and found the root user had an entry for "perfcc". Looking this up, perfcc/perfctl is a crypto-miner malware.
Thanks for all your help in troubleshooting this. I hope it clarifies for someone what may be afoot if they find libgcwrap present on their system; there was nothing available on the popular search engines about it.
I shut down the VM and used a live ISO to take a look at the filesystem. You were correct - there is an /etc/ld.so.preload which points to /lib/libgcwrap.so. There is also a /usr/lib/ libgcwrap. so copy.
These files were marked as immutable and were not visible from the booted system. I took a look at the cron configurations and found the root user had an entry for "perfcc". Looking this up, perfcc/perfctl is a crypto-miner malware.
Thanks for all your help in troubleshooting this. I hope it clarifies for someone what may be afoot if they find libgcwrap present on their system; there was nothing available on the popular search engines about it.