This is hosted on 220.127.116.11. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.
The injected script sends the keywords and referring site upstream, for example:
[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.seAlthough the attacks in the past few days only seem to have utilised 18.104.22.168, an analysis of the netblock [pastebin] shows several bad or spammy sites in 22.214.171.124/23, so my recommendation is that you banish this range from your network.
ZScaler are also tracking their infection, an analysis of what it does can be found here.