His team used ifunc because it made the attack less obvious if you are running sshd under strace. An alarm or clone system call in strace would stick out a mile, even if the code executing the syscall was obfuscated.

So it's clever to use ifunc, but not necessary for an attack to work.

Likely the existing toolkit they seem to have been using had primitives for this already, but as I said in the Veritasium video I appreciate that this was a very sophisticated attack executed by a smart team.