This is hosted on 18.104.22.168. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.
The injected script sends the keywords and referring site upstream, for example:
[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.seAlthough the attacks in the past few days only seem to have utilised 22.214.171.124, an analysis of the netblock [pastebin] shows several bad or spammy sites in 126.96.36.199/23, so my recommendation is that you banish this range from your network.
ZScaler are also tracking their infection, an analysis of what it does can be found here.